[xen_CVE-2007-0998_1175009032_do_key_event.diff] do_key_event_OLD.c #3
break;
}
}
+#else
+ if (!down && sym == XK_Num_Lock)
+ vs->numlock = !vs->numlock;
+#endif
}
.\cloneFuncs\totalClone\Type-1\CVE-2011-1898_before_1mo_1301756167_init_vtd_hw.c
50
51
52
53
54
55
56
57
58
59
int apic;
for ( apic = 0; apic < nr_ioapics; apic++ )
{
if ( ioapic_to_iommu(IO_APIC_ID(apic)) == NULL )
{
iommu_intremap = 0;
dprintk(XENLOG_ERR VTDPREFIX,
"ioapic_to_iommu: ioapic 0x%x (id: 0x%x) is NULL! "
"Will not try to enable Interrupt Remapping.\n",
apic, IO_APIC_ID(apic));
+ show +
+ show +
64
65
66
67
68
69
70
71
72
73
if ( iommu_intremap )
{
for_each_drhd_unit ( drhd )
{
iommu = drhd->iommu;
if ( enable_intremap(iommu, 0) != 0 )
{
dprintk(XENLOG_WARNING VTDPREFIX,
"Interrupt Remapping not enabled\n");
break;
.\cloneFuncs\totalClone\Type-1\CVE-2011-1898_before_1mo_1301756167_init_vtd_hw.c
63
64
65
66
67
68
69
70
71
72
}
if ( iommu_intremap )
{
for_each_drhd_unit ( drhd )
{
iommu = drhd->iommu;
if ( enable_intremap(iommu, 0) != 0 )
{
dprintk(XENLOG_WARNING VTDPREFIX,
"Interrupt Remapping not enabled\n");
+ show +
+ show +
77
78
79
80
81
82
83
84
85
86
/*
* Set root entries for each VT-d engine. After set root entry,
* must globally invalidate context cache, and then globally
* invalidate IOTLB
*/
for_each_drhd_unit ( drhd )
{
iommu = drhd->iommu;
ret = iommu_set_root_entry(iommu);
.\cloneFuncs\totalClone\Type-1\CVE-2012-2782_after_imd_1355593562_decode_slice_header.c
614
615
616
617
618
619
620
621
622
623
int k;
uint8_t *base = h->ref_list[j][i].f.base[0];
for (k = 0; k < h->short_ref_count; k++)
if (h->short_ref[k]->f.base[0] == base) {
id_list[i] = k;
break;
}
for (k = 0; k < h->long_ref_count; k++)
if (h->long_ref[k] && h->long_ref[k]->f.base[0] == base) {
id_list[i] = h->short_ref_count + k;
+ show +
624
625
626
627
break;
}
}
}
+ show +
628
629
630
631
632
633
634
635
636
637
ref2frm[0] =
ref2frm[1] = -1;
for (i = 0; i < 16; i++)
ref2frm[i + 2] = 4 * id_list[i] +
(h->ref_list[j][i].f.reference & 3);
ref2frm[18 + 0] =
ref2frm[18 + 1] = -1;
for (i = 16; i < 48; i++)
ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
.\cloneFuncs\totalClone\Type-1\CVE-2012-2782_before_imd_1353879727_decode_slice_header.c
683
684
685
686
687
688
689
690
691
692
int k;
uint8_t *base = h->ref_list[j][i].f.base[0];
for (k = 0; k < h->short_ref_count; k++)
if (h->short_ref[k]->f.base[0] == base) {
id_list[i] = k;
break;
}
for (k = 0; k < h->long_ref_count; k++)
if (h->long_ref[k] && h->long_ref[k]->f.base[0] == base) {
id_list[i] = h->short_ref_count + k;
+ show +
693
694
695
696
break;
}
}
}
+ show +
697
698
699
700
701
702
703
704
705
706
ref2frm[0] =
ref2frm[1] = -1;
for (i = 0; i < 16; i++)
ref2frm[i + 2] = 4 * id_list[i] +
(h->ref_list[j][i].f.reference & 3);
ref2frm[18 + 0] =
ref2frm[18 + 1] = -1;
for (i = 16; i < 48; i++)
ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
.\cloneFuncs\totalClone\Type-1\CVE-2013-6368_before_1mo_1381164480___vcpu_run.c
26
27
28
29
30
31
32
33
34
35
vcpu->arch.pv.pv_unhalted = false;
vcpu->arch.mp_state =
KVM_MP_STATE_RUNNABLE;
case KVM_MP_STATE_RUNNABLE:
vcpu->arch.apf.halted = false;
break;
case KVM_MP_STATE_INIT_RECEIVED:
break;
default:
r = -EINTR;
+ show +
+ show +
40
41
42
43
44
45
46
47
48
49
if (r <= 0)
break;
clear_bit(KVM_REQ_PENDING_TIMER, &vcpu->requests);
if (kvm_cpu_has_pending_timer(vcpu))
kvm_inject_pending_timer_irqs(vcpu);
if (dm_request_for_irq_injection(vcpu)) {
r = -EINTR;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3509_after_imd_1406245806_ssl_scan_serverhello_tlsext.c
268
269
270
271
272
273
274
275
276
277
size_t i;
custom_cli_ext_record* record;
for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
{
record = &s->ctx->custom_cli_ext_records[i];
if (record->ext_type == type)
{
if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg))
return 0;
+ show +
278
279
280
281
break;
}
}
}
+ show +
282
283
284
285
286
287
288
289
290
291
#ifdef TLSEXT_TYPE_encrypt_then_mac
else if (type == TLSEXT_TYPE_encrypt_then_mac)
{
/* Ignore if inappropriate ciphersuite */
if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD)
s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
}
#endif
data += size;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3509_before_1mo_1401731720_ssl_scan_serverhello_tlsext.c
265
266
267
268
269
270
271
272
273
274
size_t i;
custom_cli_ext_record* record;
for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
{
record = &s->ctx->custom_cli_ext_records[i];
if (record->ext_type == type)
{
if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg))
return 0;
+ show +
275
276
277
278
break;
}
}
}
+ show +
279
280
281
282
283
284
285
286
287
288
#ifdef TLSEXT_TYPE_encrypt_then_mac
else if (type == TLSEXT_TYPE_encrypt_then_mac)
{
/* Ignore if inappropriate ciphersuite */
if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD)
s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
}
#endif
data += size;
.\cloneFuncs\totalClone\Type-1\CVE-2014-3513_after_imd_1413334435_ssl_add_clienthello_tlsext.c
15
16
17
18
19
20
21
22
23
24
for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
{
SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
alg_k = c->algorithm_mkey;
alg_a = c->algorithm_auth;
if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)
|| (alg_a & SSL_aECDSA)))
{
using_ecc = 1;
+ show +
+ show +
29
30
31
32
33
34
35
36
37
38
#endif
/* don't add extensions for SSLv3 unless doing secure renegotiation */
if (s->client_version == SSL3_VERSION
&& !s->s3->send_connection_binding)
return orig;
ret+=2;
if (ret>=limit) return NULL; /* this really never occurs, but ... */
.\cloneFuncs\totalClone\Type-1\CVE-2014-3513_before_imd_1412111429_ssl_add_clienthello_tlsext.c
15
16
17
18
19
20
21
22
23
24
for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
{
SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
alg_k = c->algorithm_mkey;
alg_a = c->algorithm_auth;
if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)
|| (alg_a & SSL_aECDSA)))
{
using_ecc = 1;
+ show +
+ show +
29
30
31
32
33
34
35
36
37
38
#endif
/* don't add extensions for SSLv3 unless doing secure renegotiation */
if (s->client_version == SSL3_VERSION
&& !s->s3->send_connection_binding)
return orig;
ret+=2;
if (ret>=limit) return NULL; /* this really never occurs, but ... */
.\cloneFuncs\totalClone\Type-1\CVE-2014-8127_after_1mo_1484150942_TIFFWriteDirectorySec.c
329
330
331
332
333
334
335
336
337
338
assert(o->field_type==TIFF_UNDEFINED);
assert(o->field_readcount==TIFF_VARIABLE2);
assert(o->field_passcount==1);
TIFFGetField(tif,o->field_tag,&pa,&pb);
if (!TIFFWriteDirectoryTagUndefinedArray(tif,&ndir,dir,(uint16)o->field_tag,pa,pb))
goto bad;
}
break;
default:
assert(0); /* we should never get here */
+ show +
339
340
341
342
break;
}
}
}
+ show +
343
344
345
346
347
348
349
350
351
352
}
}
for (m=0; m<(uint32)(tif->tif_dir.td_customValueCount); m++)
{
uint16 tag = (uint16)tif->tif_dir.td_customValues[m].info->field_tag;
uint32 count = tif->tif_dir.td_customValues[m].count;
switch (tif->tif_dir.td_customValues[m].info->field_type)
{
case TIFF_ASCII:
if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,tag,count,tif->tif_dir.td_customValues[m].value))
.\cloneFuncs\totalClone\Type-1\CVE-2014-8127_before_1mo_1450437060_TIFFWriteDirectorySec.c
317
318
319
320
321
322
323
324
325
326
assert(o->field_type==TIFF_UNDEFINED);
assert(o->field_readcount==TIFF_VARIABLE2);
assert(o->field_passcount==1);
TIFFGetField(tif,o->field_tag,&pa,&pb);
if (!TIFFWriteDirectoryTagUndefinedArray(tif,&ndir,dir,(uint16)o->field_tag,pa,pb))
goto bad;
}
break;
default:
assert(0); /* we should never get here */
+ show +
327
328
329
330
break;
}
}
}
+ show +
331
332
333
334
335
336
337
338
339
340
}
}
for (m=0; m<(uint32)(tif->tif_dir.td_customValueCount); m++)
{
uint16 tag = (uint16)tif->tif_dir.td_customValues[m].info->field_tag;
uint32 count = tif->tif_dir.td_customValues[m].count;
switch (tif->tif_dir.td_customValues[m].info->field_type)
{
case TIFF_ASCII:
if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,tag,count,tif->tif_dir.td_customValues[m].value))
.\cloneFuncs\totalClone\Type-1\CVE-2015-1793_after_1mo_1438981770_X509_verify_cert.c
212
213
214
215
216
217
218
219
220
221
* Dump all the certs above this point - we've found an
* alternate chain
*/
while (num > j) {
xtmp = sk_X509_pop(ctx->chain);
X509_free(xtmp);
num--;
}
ctx->last_untrusted = sk_X509_num(ctx->chain);
retry = 1;
+ show +
222
223
224
225
break;
}
}
}
+ show +
226
227
228
229
230
231
232
233
234
235
} while (retry);
/*
* If not explicitly trusted then indicate error unless it's a single
* self signed certificate in which case we've indicated an error already
* and set bad_chain == 1
*/
if (i != X509_TRUST_TRUSTED && !bad_chain) {
if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
if (ctx->last_untrusted >= num)
.\cloneFuncs\totalClone\Type-1\CVE-2015-1793_before_imd_1435157736_X509_verify_cert.c
206
207
208
209
210
211
212
213
214
215
* Dump all the certs above this point - we've found an
* alternate chain
*/
while (num > j) {
xtmp = sk_X509_pop(ctx->chain);
X509_free(xtmp);
num--;
}
ctx->last_untrusted = sk_X509_num(ctx->chain);
retry = 1;
+ show +
216
217
218
219
break;
}
}
}
+ show +
220
221
222
223
224
225
226
227
228
229
} while (retry);
/*
* If not explicitly trusted then indicate error unless it's a single
* self signed certificate in which case we've indicated an error already
* and set bad_chain == 1
*/
if (i != X509_TRUST_TRUSTED && !bad_chain) {
if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
if (ctx->last_untrusted >= num)
.\cloneFuncs\totalClone\Type-1\CVE-2015-3417_after_imd_1432622742_ff_h264_decode_slice_header.c
590
591
592
593
594
595
596
597
598
599
int k;
AVBuffer *buf = sl->ref_list[j][i].parent->f->buf[0]->buffer;
for (k = 0; k < h->short_ref_count; k++)
if (h->short_ref[k]->f->buf[0]->buffer == buf) {
id_list[i] = k;
break;
}
for (k = 0; k < h->long_ref_count; k++)
if (h->long_ref[k] && h->long_ref[k]->f->buf[0]->buffer == buf) {
id_list[i] = h->short_ref_count + k;
+ show +
600
601
602
603
break;
}
}
}
+ show +
604
605
606
607
608
609
610
611
612
613
ref2frm[0] =
ref2frm[1] = -1;
for (i = 0; i < 16; i++)
ref2frm[i + 2] = 4 * id_list[i] + (sl->ref_list[j][i].reference & 3);
ref2frm[18 + 0] =
ref2frm[18 + 1] = -1;
for (i = 16; i < 48; i++)
ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
(sl->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-1\CVE-2015-3417_before_imd_1431334367_ff_h264_decode_slice_header.c
589
590
591
592
593
594
595
596
597
598
int k;
AVBuffer *buf = sl->ref_list[j][i].parent->f->buf[0]->buffer;
for (k = 0; k < h->short_ref_count; k++)
if (h->short_ref[k]->f->buf[0]->buffer == buf) {
id_list[i] = k;
break;
}
for (k = 0; k < h->long_ref_count; k++)
if (h->long_ref[k] && h->long_ref[k]->f->buf[0]->buffer == buf) {
id_list[i] = h->short_ref_count + k;
+ show +
599
600
601
602
break;
}
}
}
+ show +
603
604
605
606
607
608
609
610
611
612
ref2frm[0] =
ref2frm[1] = -1;
for (i = 0; i < 16; i++)
ref2frm[i + 2] = 4 * id_list[i] + (sl->ref_list[j][i].reference & 3);
ref2frm[18 + 0] =
ref2frm[18 + 1] = -1;
for (i = 16; i < 48; i++)
ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
(sl->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-1\CVE-2015-8665_after_1mo_1473024775_PickContigCase.c
125
126
127
128
129
130
131
132
133
134
img->put.contig = putcontig8bitYCbCr22tile;
break;
case 0x21:
img->put.contig = putcontig8bitYCbCr21tile;
break;
case 0x12:
img->put.contig = putcontig8bitYCbCr12tile;
break;
case 0x11:
img->put.contig = putcontig8bitYCbCr11tile;
+ show +
135
136
137
138
break;
}
}
}
+ show +
139
140
141
142
143
144
145
146
147
148
break;
case PHOTOMETRIC_CIELAB:
if (img->samplesperpixel == 3 && buildMap(img)) {
if (img->bitspersample == 8)
img->put.contig = initCIELabConversion(img);
break;
}
}
return ((img->get!=NULL) && (img->put.contig!=NULL));
}
.\cloneFuncs\totalClone\Type-1\CVE-2015-8665_before_1mo_1447878907_PickContigCase.c
121
122
123
124
125
126
127
128
129
130
img->put.contig = putcontig8bitYCbCr22tile;
break;
case 0x21:
img->put.contig = putcontig8bitYCbCr21tile;
break;
case 0x12:
img->put.contig = putcontig8bitYCbCr12tile;
break;
case 0x11:
img->put.contig = putcontig8bitYCbCr11tile;
+ show +
131
132
133
134
break;
}
}
}
+ show +
135
136
137
138
139
140
141
142
143
144
break;
case PHOTOMETRIC_CIELAB:
if (buildMap(img)) {
if (img->bitspersample == 8)
img->put.contig = initCIELabConversion(img);
break;
}
}
return ((img->get!=NULL) && (img->put.contig!=NULL));
}
.\cloneFuncs\totalClone\Type-1\CVE-2016-10095_after_imd_1497264335_TIFFReadDirectory.c
165
166
167
168
169
170
171
172
173
174
case TIFFTAG_PLANARCONFIG:
case TIFFTAG_ROWSPERSTRIP:
case TIFFTAG_EXTRASAMPLES:
if (!TIFFFetchNormalTag(tif,dp,0))
goto bad;
dp->tdir_tag=IGNORE;
break;
default:
if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
dp->tdir_tag=IGNORE;
+ show +
175
176
177
178
break;
}
}
}
+ show +
179
180
181
182
183
184
185
186
187
188
}
/*
* XXX: OJPEG hack.
* If a) compression is OJPEG, b) planarconfig tag says it's separate,
* c) strip offsets/bytecounts tag are both present and
* d) both contain exactly one value, then we consistently find
* that the buggy implementation of the buggy compression scheme
* matches contig planarconfig best. So we 'fix-up' the tag here
*/
if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG)&&
.\cloneFuncs\totalClone\Type-1\CVE-2016-10095_after_imd_1497264335_TIFFReadDirectory.c
635
636
637
638
639
640
641
642
643
644
*/
#if !defined(DEFER_STRILE_LOAD)
if (tif->tif_dir.td_nstrips > 1) {
uint32 strip;
tif->tif_dir.td_stripbytecountsorted = 1;
for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++) {
if (tif->tif_dir.td_stripoffset[strip - 1] >
tif->tif_dir.td_stripoffset[strip]) {
tif->tif_dir.td_stripbytecountsorted = 0;
+ show +
645
646
647
648
break;
}
}
}
+ show +
649
650
651
652
653
654
655
656
657
658
#endif /* !defined(DEFER_STRILE_LOAD) */
/*
* An opportunity for compression mode dependent tag fixup
*/
(*tif->tif_fixuptags)(tif);
/*
* Some manufacturers make life difficult by writing
* large amounts of uncompressed data as a single strip.
.\cloneFuncs\totalClone\Type-1\CVE-2016-10095_before_imd_1493307982_TIFFReadDirectory.c
161
162
163
164
165
166
167
168
169
170
case TIFFTAG_IMAGEDEPTH:
case TIFFTAG_TILELENGTH:
case TIFFTAG_TILEWIDTH:
case TIFFTAG_TILEDEPTH:
case TIFFTAG_PLANARCONFIG:
case TIFFTAG_ROWSPERSTRIP:
case TIFFTAG_EXTRASAMPLES:
if (!TIFFFetchNormalTag(tif,dp,0))
goto bad;
dp->tdir_tag=IGNORE;
+ show +
171
172
173
174
break;
}
}
}
+ show +
175
176
177
178
179
180
181
182
183
184
}
/*
* XXX: OJPEG hack.
* If a) compression is OJPEG, b) planarconfig tag says it's separate,
* c) strip offsets/bytecounts tag are both present and
* d) both contain exactly one value, then we consistently find
* that the buggy implementation of the buggy compression scheme
* matches contig planarconfig best. So we 'fix-up' the tag here
*/
if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG)&&
.\cloneFuncs\totalClone\Type-1\CVE-2016-10095_before_imd_1493307982_TIFFReadDirectory.c
631
632
633
634
635
636
637
638
639
640
*/
#if !defined(DEFER_STRILE_LOAD)
if (tif->tif_dir.td_nstrips > 1) {
uint32 strip;
tif->tif_dir.td_stripbytecountsorted = 1;
for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++) {
if (tif->tif_dir.td_stripoffset[strip - 1] >
tif->tif_dir.td_stripoffset[strip]) {
tif->tif_dir.td_stripbytecountsorted = 0;
+ show +
641
642
643
644
break;
}
}
}
+ show +
645
646
647
648
649
650
651
652
653
654
#endif /* !defined(DEFER_STRILE_LOAD) */
/*
* An opportunity for compression mode dependent tag fixup
*/
(*tif->tif_fixuptags)(tif);
/*
* Some manufacturers make life difficult by writing
* large amounts of uncompressed data as a single strip.
.\cloneFuncs\totalClone\Type-1\CVE-2016-3945_after_1mo_1512122530_cvt_by_tile.c
96
97
98
99
100
101
102
103
104
105
/*
* Write out the result in a tile.
*/
if( TIFFWriteEncodedTile( out,
TIFFComputeTile( out, col, row, 0, 0),
raster,
4 * tile_width * tile_height ) == -1 )
{
ok = 0;
+ show +
106
107
108
109
break;
}
}
}
+ show +
110
111
112
113
114
115
_TIFFfree( raster );
_TIFFfree( wrk_line );
return ok;
}
.\cloneFuncs\totalClone\Type-1\CVE-2016-3945_before_1mo_1402198621_cvt_by_tile.c
83
84
85
86
87
88
89
90
91
92
/*
* Write out the result in a tile.
*/
if( TIFFWriteEncodedTile( out,
TIFFComputeTile( out, col, row, 0, 0),
raster,
4 * tile_width * tile_height ) == -1 )
{
ok = 0;
+ show +
+ show +
97
98
99
100
101
102
_TIFFfree( raster );
_TIFFfree( wrk_line );
return ok;
}
.\cloneFuncs\totalClone\Type-1\CVE-2016-6213_after_1mo_1546723558_propagate_umount.c
47
48
49
50
51
52
53
54
55
56
list_add_tail(&child->mnt_umounting, &visited);
continue;
}
/* Check the child and parents while progress is made */
while (__propagate_umount(child,
&to_umount, &to_restore)) {
/* Is the parent a umount candidate? */
child = child->mnt_parent;
if (list_empty(&child->mnt_umounting))
+ show +
+ show +
61
62
63
64
65
66
67
68
umount_list(&to_umount, &to_restore);
restore_mounts(&to_restore);
cleanup_umount_visitations(&visited);
list_splice_tail(&to_umount, list);
return 0;
}
.\cloneFuncs\totalClone\Type-1\CVE-2016-6213_before_imd_1477343773_propagate_umount.c
14
15
16
17
18
19
20
21
22
23
mnt->mnt_mountpoint);
if (!child)
continue;
/* Check the child and parents while progress is made */
while (__propagate_umount(child,
&to_umount, &to_restore)) {
/* Is the parent a umount candidate? */
child = child->mnt_parent;
if (list_empty(&child->mnt_umounting))
+ show +
+ show +
28
29
30
31
32
33
34
umount_list(&to_umount, &to_restore);
restore_mounts(&to_restore);
list_splice_tail(&to_umount, list);
return 0;
}
.\cloneFuncs\totalClone\Type-1\CVE-2016-7093_before_imd_1472818823_x86_emulate.c
107
108
109
110
111
112
113
114
115
116
b = insn_fetch_type(uint8_t);
d = twobyte_table[b];
switch ( b )
{
default:
ext = ext_0f;
break;
case 0x38:
b = insn_fetch_type(uint8_t);
ext = ext_0f38;
+ show +
117
118
119
120
break;
}
}
}
+ show +
121
122
123
124
125
126
127
128
129
130
/* ModRM and SIB bytes. */
if ( d & ModRM )
{
modrm = insn_fetch_type(uint8_t);
modrm_mod = (modrm & 0xc0) >> 6;
if ( !ext && ((b & ~1) == 0xc4) )
switch ( def_ad_bytes )
{
.\cloneFuncs\totalClone\Type-1\CVE-2017-12991_before_1mo_1477512990_bgp_attr_print.c
348
349
350
351
352
353
354
355
356
357
}
break;
default:
ND_TCHECK2(tptr[0], tlen);
ND_PRINT((ndo, "no AFI %u/SAFI %u decoder", af, safi));
if (ndo->ndo_vflag <= 1)
print_unknown_data(ndo, tptr, "\n\t ", tlen);
tptr += tlen;
tlen = 0;
goto done;
+ show +
358
359
360
361
break;
}
}
}
+ show +
362
363
364
365
366
367
368
369
370
371
ND_PRINT((ndo, ", nh-length: %u", nhlen));
tptr += tlen;
ND_TCHECK(tptr[0]);
snpa = tptr[0];
tptr++;
if (snpa) {
ND_PRINT((ndo, "\n\t %u SNPA", snpa));
for (/*nothing*/; snpa > 0; snpa--) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-12994_before_imd_1486412078_bgp_attr_print.c
349
350
351
352
353
354
355
356
357
358
}
break;
default:
ND_TCHECK2(tptr[0], tlen);
ND_PRINT((ndo, "no AFI %u/SAFI %u decoder", af, safi));
if (ndo->ndo_vflag <= 1)
print_unknown_data(ndo, tptr, "\n\t ", tlen);
tptr += tlen;
tlen = 0;
goto done;
+ show +
359
360
361
362
break;
}
}
}
+ show +
363
364
365
366
367
368
369
370
371
372
ND_PRINT((ndo, ", nh-length: %u", nhlen));
tptr += tlen;
ND_TCHECK(tptr[0]);
snpa = tptr[0];
tptr++;
if (snpa) {
ND_PRINT((ndo, "\n\t %u SNPA", snpa));
for (/*nothing*/; snpa > 0; snpa--) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13046_after_1mo_1502455142_bgp_attr_print.c
349
350
351
352
353
354
355
356
357
358
}
break;
default:
ND_TCHECK2(tptr[0], tlen);
ND_PRINT((ndo, "no AFI %u/SAFI %u decoder", af, safi));
if (ndo->ndo_vflag <= 1)
print_unknown_data(ndo, tptr, "\n\t ", tlen);
tptr += tlen;
tlen = 0;
goto done;
+ show +
359
360
361
362
break;
}
}
}
+ show +
363
364
365
366
367
368
369
370
371
372
ND_PRINT((ndo, ", nh-length: %u", nhlen));
tptr += tlen;
ND_TCHECK(tptr[0]);
snpa = tptr[0];
tptr++;
if (snpa) {
ND_PRINT((ndo, "\n\t %u SNPA", snpa));
for (/*nothing*/; snpa > 0; snpa--) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-13046_before_imd_1489136568_bgp_attr_print.c
349
350
351
352
353
354
355
356
357
358
}
break;
default:
ND_TCHECK2(tptr[0], tlen);
ND_PRINT((ndo, "no AFI %u/SAFI %u decoder", af, safi));
if (ndo->ndo_vflag <= 1)
print_unknown_data(ndo, tptr, "\n\t ", tlen);
tptr += tlen;
tlen = 0;
goto done;
+ show +
359
360
361
362
break;
}
}
}
+ show +
363
364
365
366
367
368
369
370
371
372
ND_PRINT((ndo, ", nh-length: %u", nhlen));
tptr += tlen;
ND_TCHECK(tptr[0]);
snpa = tptr[0];
tptr++;
if (snpa) {
ND_PRINT((ndo, "\n\t %u SNPA", snpa));
for (/*nothing*/; snpa > 0; snpa--) {
.\cloneFuncs\totalClone\Type-1\CVE-2017-15268_after_1mo_1516290774_vnc_update_client.c
49
50
51
52
53
54
55
56
57
58
bitmap_clear(vs->dirty[y], x, x2 - x);
h = find_and_clear_dirty_height(vs, y, x, x2, height);
x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
if (x2 > x) {
n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
(x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
}
if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
y += h;
if (y == height) {
+ show +
+ show +
63
64
65
66
67
68
69
vs->job_update = vs->update;
vs->update = VNC_STATE_UPDATE_NONE;
vnc_job_push(job);
vs->has_dirty = 0;
return n;
}
.\cloneFuncs\totalClone\Type-1\CVE-2017-15268_before_imd_1513624344_vnc_update_client.c
49
50
51
52
53
54
55
56
57
58
bitmap_clear(vs->dirty[y], x, x2 - x);
h = find_and_clear_dirty_height(vs, y, x, x2, height);
x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
if (x2 > x) {
n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
(x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
}
if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
y += h;
if (y == height) {
+ show +
+ show +
63
64
65
66
67
68
vnc_job_push(job);
vs->update = VNC_STATE_UPDATE_NONE;
vs->has_dirty = 0;
return n;
}
.\cloneFuncs\totalClone\Type-1\CVE-2017-9608_before_imd_1492941237_dnxhd_find_frame_end.c
7
8
9
10
11
12
13
14
15
16
int i = 0;
if (!pic_found) {
for (i = 0; i < buf_size; i++) {
state = (state << 8) | buf[i];
if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) {
i++;
pic_found = 1;
dctx->cur_byte = 0;
dctx->remaining = 0;
+ show +
+ show +
21
22
23
24
25
26
27
28
29
30
if (pic_found && !dctx->remaining) {
if (!buf_size) /* EOF considered as end of frame */
return 0;
for (; i < buf_size; i++) {
dctx->cur_byte++;
state = (state << 8) | buf[i];
if (dctx->cur_byte == 24) {
dctx->h = (state >> 32) & 0xFFFF;
.\cloneFuncs\totalClone\Type-1\CVE-2018-10963_before_1mo_1503495222_TIFFWriteDirectorySec.c
329
330
331
332
333
334
335
336
337
338
assert(o->field_type==TIFF_UNDEFINED);
assert(o->field_readcount==TIFF_VARIABLE2);
assert(o->field_passcount==1);
TIFFGetField(tif,o->field_tag,&pa,&pb);
if (!TIFFWriteDirectoryTagUndefinedArray(tif,&ndir,dir,(uint16)o->field_tag,pa,pb))
goto bad;
}
break;
default:
assert(0); /* we should never get here */
+ show +
339
340
341
342
break;
}
}
}
+ show +
343
344
345
346
347
348
349
350
351
352
}
}
for (m=0; m<(uint32)(tif->tif_dir.td_customValueCount); m++)
{
uint16 tag = (uint16)tif->tif_dir.td_customValues[m].info->field_tag;
uint32 count = tif->tif_dir.td_customValues[m].count;
switch (tif->tif_dir.td_customValues[m].info->field_type)
{
case TIFF_ASCII:
if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,tag,count,tif->tif_dir.td_customValues[m].value))
.\cloneFuncs\totalClone\Type-1\CVE-2018-16300_before_imd_1567093481_bgp_attr_print.c
314
315
316
317
318
319
320
321
322
323
break;
default:
/*
* bgp_mp_af_print() should have saved us from
* an unsupported AFI/SAFI.
*/
ND_PRINT("ERROR: no AFI %u/SAFI %u nexthop decoder", af, safi);
tptr += tlen;
tlen = 0;
goto done;
+ show +
324
325
326
327
break;
}
}
}
+ show +
328
329
330
331
332
333
334
335
336
337
ND_PRINT(", nh-length: %u", nhlen);
tptr += tlen;
ND_TCHECK_1(tptr);
snpa = GET_U_1(tptr);
tptr++;
if (snpa) {
ND_PRINT("\n\t %u SNPA", snpa);
for (/*nothing*/; snpa != 0; snpa--) {
.\cloneFuncs\totalClone\Type-1\CVE-2018-3639_after_1mo_1528939102_kvm_get_supported_msrs.c
81
82
83
84
85
86
87
88
89
90
has_msr_hv_frequencies = true;
break;
case HV_X64_MSR_REENLIGHTENMENT_CONTROL:
has_msr_hv_reenlightenment = true;
break;
case MSR_IA32_SPEC_CTRL:
has_msr_spec_ctrl = true;
break;
case MSR_VIRT_SSBD:
has_msr_virt_ssbd = true;
+ show +
+ show +
95
96
97
98
99
100
g_free(kvm_msr_list);
}
return ret;
}
.\cloneFuncs\totalClone\Type-1\CVE-2018-3639_before_imd_1523447436_kvm_get_supported_msrs.c
78
79
80
81
82
83
84
85
86
87
has_msr_hv_stimer = true;
break;
case HV_X64_MSR_TSC_FREQUENCY:
has_msr_hv_frequencies = true;
break;
case HV_X64_MSR_REENLIGHTENMENT_CONTROL:
has_msr_hv_reenlightenment = true;
break;
case MSR_IA32_SPEC_CTRL:
has_msr_spec_ctrl = true;
+ show +
+ show +
92
93
94
95
96
97
g_free(kvm_msr_list);
}
return ret;
}
.\cloneFuncs\totalClone\Type-2\CVE-2012-2782_after_1mo_1356282605_decode_slice_header.c
614
615
616
617
618
619
620
621
622
623
int k;
uint8_t *base = h->ref_list[j][i].f.base[0];
for (k = 0; k < h->short_ref_count; k++)
if (h->short_ref[k]->f.base[0] == base) {
id_list[i] = k;
break;
}
for (k = 0; k < h->long_ref_count; k++)
if (h->long_ref[k] && h->long_ref[k]->f.base[0] == base) {
id_list[i] = h->short_ref_count + k;
+ show +
624
625
626
627
break;
}
}
}
+ show +
628
629
630
631
632
633
634
635
636
637
ref2frm[0] =
ref2frm[1] = -1;
for (i = 0; i < 16; i++)
ref2frm[i + 2] = 4 * id_list[i] +
(h->ref_list[j][i].f.reference & 3);
ref2frm[18 + 0] =
ref2frm[18 + 1] = -1;
for (i = 16; i < 48; i++)
ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
.\cloneFuncs\totalClone\Type-2\CVE-2013-6368_after_1mo_1390456818___vcpu_run.c
21
22
23
24
25
26
27
28
29
30
vcpu->arch.pv.pv_unhalted = false;
vcpu->arch.mp_state =
KVM_MP_STATE_RUNNABLE;
case KVM_MP_STATE_RUNNABLE:
vcpu->arch.apf.halted = false;
break;
case KVM_MP_STATE_INIT_RECEIVED:
break;
default:
r = -EINTR;
+ show +
+ show +
35
36
37
38
39
40
41
42
43
44
if (r <= 0)
break;
clear_bit(KVM_REQ_PENDING_TIMER, &vcpu->requests);
if (kvm_cpu_has_pending_timer(vcpu))
kvm_inject_pending_timer_irqs(vcpu);
if (dm_request_for_irq_injection(vcpu)) {
r = -EINTR;
.\cloneFuncs\totalClone\Type-2\CVE-2014-8127_before_6mo_1448206263_TIFFWriteDirectorySec.c
317
318
319
320
321
322
323
324
325
326
assert(o->field_type==TIFF_UNDEFINED);
assert(o->field_readcount==TIFF_VARIABLE2);
assert(o->field_passcount==1);
TIFFGetField(tif,o->field_tag,&pa,&pb);
if (!TIFFWriteDirectoryTagUndefinedArray(tif,&ndir,dir,(uint16)o->field_tag,pa,pb))
goto bad;
}
break;
default:
assert(0); /* we should never get here */
+ show +
327
328
329
330
break;
}
}
}
+ show +
331
332
333
334
335
336
337
338
339
340
}
}
for (m=0; m<(uint32)(tif->tif_dir.td_customValueCount); m++)
{
uint16 tag = (uint16)tif->tif_dir.td_customValues[m].info->field_tag;
uint32 count = tif->tif_dir.td_customValues[m].count;
switch (tif->tif_dir.td_customValues[m].info->field_type)
{
case TIFF_ASCII:
if (!TIFFWriteDirectoryTagAscii(tif,&ndir,dir,tag,count,tif->tif_dir.td_customValues[m].value))
.\cloneFuncs\totalClone\Type-2\CVE-2015-1793_before_1mo_1431615408_X509_verify_cert.c
206
207
208
209
210
211
212
213
214
215
* Dump all the certs above this point - we've found an
* alternate chain
*/
while (num > j) {
xtmp = sk_X509_pop(ctx->chain);
X509_free(xtmp);
num--;
ctx->last_untrusted--;
}
retry = 1;
+ show +
216
217
218
219
break;
}
}
}
+ show +
220
221
222
223
224
225
226
227
228
229
} while (retry);
/*
* If not explicitly trusted then indicate error unless it's a single
* self signed certificate in which case we've indicated an error already
* and set bad_chain == 1
*/
if (i != X509_TRUST_TRUSTED && !bad_chain) {
if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
if (ctx->last_untrusted >= num)
.\cloneFuncs\totalClone\Type-2\CVE-2016-3945_after_6mo_1583583716_cvt_by_tile.c
96
97
98
99
100
101
102
103
104
105
/*
* Write out the result in a tile.
*/
if( TIFFWriteEncodedTile( out,
TIFFComputeTile( out, col, row, 0, 0),
raster,
4 * tile_width * tile_height ) == -1 )
{
ok = 0;
+ show +
106
107
108
109
break;
}
}
}
+ show +
110
111
112
113
114
115
_TIFFfree( raster );
_TIFFfree( wrk_line );
return ok;
}
.\cloneFuncs\totalClone\Type-2\CVE-2016-7093_after_1mo_1474903296_x86_emulate.c
103
104
105
106
107
108
109
110
111
112
b = insn_fetch_type(uint8_t);
d = twobyte_table[b];
switch ( b )
{
default:
ext = ext_0f;
break;
case 0x38:
b = insn_fetch_type(uint8_t);
ext = ext_0f38;
+ show +
113
114
115
116
break;
}
}
}
+ show +
117
118
119
120
121
122
123
124
125
126
/* ModRM and SIB bytes. */
if ( d & ModRM )
{
modrm = insn_fetch_type(uint8_t);
modrm_mod = (modrm & 0xc0) >> 6;
if ( !ext && ((b & ~1) == 0xc4) )
switch ( def_ad_bytes )
{
.\cloneFuncs\totalClone\Type-2\CVE-2017-9608_after_imd_1536385333_dnxhd_find_frame_end.c
7
8
9
10
11
12
13
14
15
16
int i = 0;
if (!pic_found) {
for (i = 0; i < buf_size; i++) {
state = (state << 8) | buf[i];
if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) {
i++;
pic_found = 1;
dctx->cur_byte = 0;
dctx->remaining = 0;
+ show +
+ show +
21
22
23
24
25
26
27
28
29
30
if (pic_found && !dctx->remaining) {
if (!buf_size) /* EOF considered as end of frame */
return 0;
for (; i < buf_size; i++) {
dctx->cur_byte++;
state = (state << 8) | buf[i];
if (dctx->cur_byte == 24) {
dctx->h = (state >> 32) & 0xFFFF;
.\cloneFuncs\totalClone\Type-3\CVE-2011-1898_after_1mo_1308150611_init_vtd_hw.c
50
51
52
53
54
55
56
57
58
59
int apic;
for ( apic = 0; apic < nr_ioapics; apic++ )
{
if ( ioapic_to_iommu(IO_APIC_ID(apic)) == NULL )
{
iommu_intremap = 0;
dprintk(XENLOG_ERR VTDPREFIX,
"ioapic_to_iommu: ioapic 0x%x (id: 0x%x) is NULL! "
"Will not try to enable Interrupt Remapping.\n",
apic, IO_APIC_ID(apic));
+ show +
+ show +
64
65
66
67
68
69
70
71
72
73
if ( iommu_intremap )
{
for_each_drhd_unit ( drhd )
{
iommu = drhd->iommu;
if ( enable_intremap(iommu, 0) != 0 )
{
iommu_intremap = 0;
dprintk(XENLOG_WARNING VTDPREFIX,
"Interrupt Remapping not enabled\n");
.\cloneFuncs\totalClone\Type-3\CVE-2011-1898_after_1mo_1308150611_init_vtd_hw.c
65
66
67
68
69
70
71
72
73
74
{
for_each_drhd_unit ( drhd )
{
iommu = drhd->iommu;
if ( enable_intremap(iommu, 0) != 0 )
{
iommu_intremap = 0;
dprintk(XENLOG_WARNING VTDPREFIX,
"Interrupt Remapping not enabled\n");
+ show +
+ show +
79
80
81
82
83
84
85
86
87
88
/*
* Set root entries for each VT-d engine. After set root entry,
* must globally invalidate context cache, and then globally
* invalidate IOTLB
*/
for_each_drhd_unit ( drhd )
{
iommu = drhd->iommu;
ret = iommu_set_root_entry(iommu);
.\cloneFuncs\totalClone\Type-3\CVE-2011-1898_after_6mo_1321364861_init_vtd_hw.c
51
52
53
54
55
56
57
58
59
60
int apic;
for ( apic = 0; apic < nr_ioapics; apic++ )
{
if ( ioapic_to_iommu(IO_APIC_ID(apic)) == NULL )
{
iommu_intremap = 0;
dprintk(XENLOG_ERR VTDPREFIX,
"ioapic_to_iommu: ioapic 0x%x (id: 0x%x) is NULL! "
"Will not try to enable Interrupt Remapping.\n",
apic, IO_APIC_ID(apic));
+ show +
+ show +
65
66
67
68
69
70
71
72
73
74
if ( iommu_intremap )
{
for_each_drhd_unit ( drhd )
{
iommu = drhd->iommu;
if ( enable_intremap(iommu, 0) != 0 )
{
iommu_intremap = 0;
dprintk(XENLOG_WARNING VTDPREFIX,
"Interrupt Remapping not enabled\n");
.\cloneFuncs\totalClone\Type-3\CVE-2011-1898_after_6mo_1321364861_init_vtd_hw.c
66
67
68
69
70
71
72
73
74
75
{
for_each_drhd_unit ( drhd )
{
iommu = drhd->iommu;
if ( enable_intremap(iommu, 0) != 0 )
{
iommu_intremap = 0;
dprintk(XENLOG_WARNING VTDPREFIX,
"Interrupt Remapping not enabled\n");
+ show +
+ show +
80
81
82
83
84
85
86
87
88
89
/*
* Set root entries for each VT-d engine. After set root entry,
* must globally invalidate context cache, and then globally
* invalidate IOTLB
*/
for_each_drhd_unit ( drhd )
{
iommu = drhd->iommu;
ret = iommu_set_root_entry(iommu);
.\cloneFuncs\totalClone\Type-3\CVE-2011-1898_before_6mo_1288772331_init_vtd_hw.c
52
53
54
55
56
57
58
59
60
61
int apic;
for ( apic = 0; apic < nr_ioapics; apic++ )
{
if ( ioapic_to_iommu(IO_APIC_ID(apic)) == NULL )
{
iommu_intremap = 0;
dprintk(XENLOG_ERR VTDPREFIX,
"ioapic_to_iommu: ioapic 0x%x (id: 0x%x) is NULL! "
"Will not try to enable Interrupt Remapping.\n",
apic, IO_APIC_ID(apic));
+ show +
+ show +
66
67
68
69
70
71
72
73
74
75
if ( iommu_intremap )
{
for_each_drhd_unit ( drhd )
{
iommu = drhd->iommu;
if ( enable_intremap(iommu, 0) != 0 )
{
dprintk(XENLOG_WARNING VTDPREFIX,
"Failed to enable Interrupt Remapping!\n");
.\cloneFuncs\totalClone\Type-3\CVE-2011-1898_before_6mo_1288772331_init_vtd_hw.c
66
67
68
69
70
71
72
73
74
75
if ( iommu_intremap )
{
for_each_drhd_unit ( drhd )
{
iommu = drhd->iommu;
if ( enable_intremap(iommu, 0) != 0 )
{
dprintk(XENLOG_WARNING VTDPREFIX,
"Failed to enable Interrupt Remapping!\n");
+ show +
+ show +
80
81
82
83
84
85
86
87
88
89
for_each_drhd_unit ( drhd )
{
iommu = drhd->iommu;
ret = iommu_set_root_entry(iommu);
if ( ret )
{
dprintk(XENLOG_ERR VTDPREFIX, "IOMMU: set root entry failed\n");
return -EIO;
}
.\cloneFuncs\totalClone\Type-3\CVE-2012-2782_after_1mo_1355951034_decode_slice_header.c
623
624
625
626
627
628
629
630
631
632
int k;
uint8_t *base = h->ref_list[j][i].f.base[0];
for (k = 0; k < h->short_ref_count; k++)
if (h->short_ref[k]->f.base[0] == base) {
id_list[i] = k;
break;
}
for (k = 0; k < h->long_ref_count; k++)
if (h->long_ref[k] && h->long_ref[k]->f.base[0] == base) {
id_list[i] = h->short_ref_count + k;
+ show +
633
634
635
636
break;
}
}
}
+ show +
637
638
639
640
641
642
643
644
645
646
ref2frm[0] =
ref2frm[1] = -1;
for (i = 0; i < 16; i++)
ref2frm[i + 2] = 4 * id_list[i] +
(h->ref_list[j][i].f.reference & 3);
ref2frm[18 + 0] =
ref2frm[18 + 1] = -1;
for (i = 16; i < 48; i++)
ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
.\cloneFuncs\totalClone\Type-3\CVE-2012-2782_before_1mo_1343015170_decode_slice_header.c
662
663
664
665
666
667
668
669
670
671
int k;
uint8_t *base = h->ref_list[j][i].f.base[0];
for (k = 0; k < h->short_ref_count; k++)
if (h->short_ref[k]->f.base[0] == base) {
id_list[i] = k;
break;
}
for (k = 0; k < h->long_ref_count; k++)
if (h->long_ref[k] && h->long_ref[k]->f.base[0] == base) {
id_list[i] = h->short_ref_count + k;
+ show +
672
673
674
675
break;
}
}
}
+ show +
676
677
678
679
680
681
682
683
684
685
ref2frm[0] =
ref2frm[1] = -1;
for (i = 0; i < 16; i++)
ref2frm[i + 2] = 4 * id_list[i] +
(h->ref_list[j][i].f.reference & 3);
ref2frm[18 + 0] =
ref2frm[18 + 1] = -1;
for (i = 16; i < 48; i++)
ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
.\cloneFuncs\totalClone\Type-3\CVE-2013-6368_before_6mo_1368141701___vcpu_run.c
25
26
27
28
29
30
31
32
33
34
case KVM_MP_STATE_HALTED:
vcpu->arch.mp_state =
KVM_MP_STATE_RUNNABLE;
case KVM_MP_STATE_RUNNABLE:
vcpu->arch.apf.halted = false;
break;
case KVM_MP_STATE_INIT_RECEIVED:
break;
default:
r = -EINTR;
+ show +
+ show +
39
40
41
42
43
44
45
46
47
48
if (r <= 0)
break;
clear_bit(KVM_REQ_PENDING_TIMER, &vcpu->requests);
if (kvm_cpu_has_pending_timer(vcpu))
kvm_inject_pending_timer_irqs(vcpu);
if (dm_request_for_irq_injection(vcpu)) {
r = -EINTR;
.\cloneFuncs\totalClone\Type-3\CVE-2014-3509_before_6mo_1389879991_ssl_scan_serverhello_tlsext.c
266
267
268
269
270
271
272
273
274
275
size_t i;
custom_cli_ext_record* record;
for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
{
record = &s->ctx->custom_cli_ext_records[i];
if (record->ext_type == type)
{
if (record->fn2 && !record->fn2(s, type, data, size, al, record->arg))
return 0;
+ show +
276
277
278
279
break;
}
}
}
+ show +
280
281
282
283
284
285
286
287
288
289
#ifdef TLSEXT_TYPE_encrypt_then_mac
else if (type == TLSEXT_TYPE_encrypt_then_mac)
{
/* Ignore if inappropriate ciphersuite */
if (s->s3->tmp.new_cipher->algorithm_mac != SSL_AEAD)
s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC;
}
#endif
data += size;
.\cloneFuncs\totalClone\Type-3\CVE-2014-3513_after_1mo_1415662184_ssl_add_clienthello_tlsext.c
15
16
17
18
19
20
21
22
23
24
for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
{
SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
alg_k = c->algorithm_mkey;
alg_a = c->algorithm_auth;
if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)
|| (alg_a & SSL_aECDSA)))
{
using_ecc = 1;
+ show +
+ show +
29
30
31
32
33
34
35
36
37
38
#endif
/* don't add extensions for SSLv3 unless doing secure renegotiation */
if (s->client_version == SSL3_VERSION
&& !s->s3->send_connection_binding)
return orig;
ret+=2;
if (ret>=limit) return NULL; /* this really never occurs, but ... */
.\cloneFuncs\totalClone\Type-3\CVE-2014-3513_before_1mo_1408209386_ssl_add_clienthello_tlsext.c
15
16
17
18
19
20
21
22
23
24
for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
{
SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
alg_k = c->algorithm_mkey;
alg_a = c->algorithm_auth;
if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)
|| (alg_a & SSL_aECDSA)))
{
using_ecc = 1;
+ show +
+ show +
29
30
31
32
33
34
35
36
37
38
#endif
/* don't add extensions for SSLv3 unless doing secure renegotiation */
if (s->client_version == SSL3_VERSION
&& !s->s3->send_connection_binding)
return orig;
ret+=2;
if (ret>=limit) return NULL; /* this really never occurs, but ... */
.\cloneFuncs\totalClone\Type-3\CVE-2014-3513_before_6mo_1396741866_ssl_add_clienthello_tlsext.c
14
15
16
17
18
19
20
21
22
23
for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++)
{
SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
alg_k = c->algorithm_mkey;
alg_a = c->algorithm_auth;
if ((alg_k & (SSL_kECDHE|SSL_kECDHr|SSL_kECDHe)
|| (alg_a & SSL_aECDSA)))
{
using_ecc = 1;
+ show +
+ show +
28
29
30
31
32
33
34
35
36
37
#endif
/* don't add extensions for SSLv3 unless doing secure renegotiation */
if (s->client_version == SSL3_VERSION
&& !s->s3->send_connection_binding)
return p;
ret+=2;
if (ret>=limit) return NULL; /* this really never occurs, but ... */
.\cloneFuncs\totalClone\Type-3\CVE-2015-3417_after_1mo_1430903575_ff_h264_decode_slice_header.c
593
594
595
596
597
598
599
600
601
602
int k;
AVBuffer *buf = sl->ref_list[j][i].parent->f->buf[0]->buffer;
for (k = 0; k < h->short_ref_count; k++)
if (h->short_ref[k]->f->buf[0]->buffer == buf) {
id_list[i] = k;
break;
}
for (k = 0; k < h->long_ref_count; k++)
if (h->long_ref[k] && h->long_ref[k]->f->buf[0]->buffer == buf) {
id_list[i] = h->short_ref_count + k;
+ show +
603
604
605
606
break;
}
}
}
+ show +
607
608
609
610
611
612
613
614
615
616
ref2frm[0] =
ref2frm[1] = -1;
for (i = 0; i < 16; i++)
ref2frm[i + 2] = 4 * id_list[i] + (sl->ref_list[j][i].reference & 3);
ref2frm[18 + 0] =
ref2frm[18 + 1] = -1;
for (i = 16; i < 48; i++)
ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
(sl->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-3\CVE-2015-3417_after_1mo_1435423097_ff_h264_decode_slice_header.c
706
707
708
709
710
711
712
713
714
715
int k;
AVBuffer *buf = sl->ref_list[j][i].parent->f->buf[0]->buffer;
for (k = 0; k < h->short_ref_count; k++)
if (h->short_ref[k]->f->buf[0]->buffer == buf) {
id_list[i] = k;
break;
}
for (k = 0; k < h->long_ref_count; k++)
if (h->long_ref[k] && h->long_ref[k]->f->buf[0]->buffer == buf) {
id_list[i] = h->short_ref_count + k;
+ show +
716
717
718
719
break;
}
}
}
+ show +
720
721
722
723
724
725
726
727
728
729
ref2frm[0] =
ref2frm[1] = -1;
for (i = 0; i < 16; i++)
ref2frm[i + 2] = 4 * id_list[i] + (sl->ref_list[j][i].reference & 3);
ref2frm[18 + 0] =
ref2frm[18 + 1] = -1;
for (i = 16; i < 48; i++)
ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
(sl->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-3\CVE-2015-3417_after_6mo_1448902308_ff_h264_decode_slice_header.c
613
614
615
616
617
618
619
620
621
622
int k;
AVBuffer *buf = sl->ref_list[j][i].parent->f->buf[0]->buffer;
for (k = 0; k < h->short_ref_count; k++)
if (h->short_ref[k]->f->buf[0]->buffer == buf) {
id_list[i] = k;
break;
}
for (k = 0; k < h->long_ref_count; k++)
if (h->long_ref[k] && h->long_ref[k]->f->buf[0]->buffer == buf) {
id_list[i] = h->short_ref_count + k;
+ show +
623
624
625
626
break;
}
}
}
+ show +
627
628
629
630
631
632
633
634
635
636
ref2frm[0] =
ref2frm[1] = -1;
for (i = 0; i < 16; i++)
ref2frm[i + 2] = 4 * id_list[i] + (sl->ref_list[j][i].reference & 3);
ref2frm[18 + 0] =
ref2frm[18 + 1] = -1;
for (i = 16; i < 48; i++)
ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
(sl->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-3\CVE-2015-3417_after_imd_1433014380_ff_h264_decode_slice_header.c
703
704
705
706
707
708
709
710
711
712
int k;
AVBuffer *buf = sl->ref_list[j][i].parent->f->buf[0]->buffer;
for (k = 0; k < h->short_ref_count; k++)
if (h->short_ref[k]->f->buf[0]->buffer == buf) {
id_list[i] = k;
break;
}
for (k = 0; k < h->long_ref_count; k++)
if (h->long_ref[k] && h->long_ref[k]->f->buf[0]->buffer == buf) {
id_list[i] = h->short_ref_count + k;
+ show +
713
714
715
716
break;
}
}
}
+ show +
717
718
719
720
721
722
723
724
725
726
ref2frm[0] =
ref2frm[1] = -1;
for (i = 0; i < 16; i++)
ref2frm[i + 2] = 4 * id_list[i] + (sl->ref_list[j][i].reference & 3);
ref2frm[18 + 0] =
ref2frm[18 + 1] = -1;
for (i = 16; i < 48; i++)
ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
(sl->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-3\CVE-2015-3417_before_1mo_1426496256_ff_h264_decode_slice_header.c
580
581
582
583
584
585
586
587
588
589
int k;
AVBuffer *buf = sl->ref_list[j][i].parent->f.buf[0]->buffer;
for (k = 0; k < h->short_ref_count; k++)
if (h->short_ref[k]->f.buf[0]->buffer == buf) {
id_list[i] = k;
break;
}
for (k = 0; k < h->long_ref_count; k++)
if (h->long_ref[k] && h->long_ref[k]->f.buf[0]->buffer == buf) {
id_list[i] = h->short_ref_count + k;
+ show +
590
591
592
593
break;
}
}
}
+ show +
594
595
596
597
598
599
600
601
602
603
ref2frm[0] =
ref2frm[1] = -1;
for (i = 0; i < 16; i++)
ref2frm[i + 2] = 4 * id_list[i] + (sl->ref_list[j][i].reference & 3);
ref2frm[18 + 0] =
ref2frm[18 + 1] = -1;
for (i = 16; i < 48; i++)
ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
(sl->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-3\CVE-2016-10095_after_1mo_1500124796_TIFFReadDirectory.c
165
166
167
168
169
170
171
172
173
174
case TIFFTAG_PLANARCONFIG:
case TIFFTAG_ROWSPERSTRIP:
case TIFFTAG_EXTRASAMPLES:
if (!TIFFFetchNormalTag(tif,dp,0))
goto bad;
dp->tdir_tag=IGNORE;
break;
default:
if( !_TIFFCheckFieldIsValidForCodec(tif, dp->tdir_tag) )
dp->tdir_tag=IGNORE;
+ show +
175
176
177
178
break;
}
}
}
+ show +
179
180
181
182
183
184
185
186
187
188
}
/*
* XXX: OJPEG hack.
* If a) compression is OJPEG, b) planarconfig tag says it's separate,
* c) strip offsets/bytecounts tag are both present and
* d) both contain exactly one value, then we consistently find
* that the buggy implementation of the buggy compression scheme
* matches contig planarconfig best. So we 'fix-up' the tag here
*/
if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG)&&
.\cloneFuncs\totalClone\Type-3\CVE-2016-10095_after_1mo_1500124796_TIFFReadDirectory.c
637
638
639
640
641
642
643
644
645
646
*/
#if !defined(DEFER_STRILE_LOAD)
if (tif->tif_dir.td_nstrips > 1) {
uint32 strip;
tif->tif_dir.td_stripbytecountsorted = 1;
for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++) {
if (tif->tif_dir.td_stripoffset[strip - 1] >
tif->tif_dir.td_stripoffset[strip]) {
tif->tif_dir.td_stripbytecountsorted = 0;
+ show +
647
648
649
650
break;
}
}
}
+ show +
651
652
653
654
655
656
657
658
659
660
#endif /* !defined(DEFER_STRILE_LOAD) */
/*
* An opportunity for compression mode dependent tag fixup
*/
(*tif->tif_fixuptags)(tif);
/*
* Some manufacturers make life difficult by writing
* large amounts of uncompressed data as a single strip.
.\cloneFuncs\totalClone\Type-3\CVE-2016-10095_before_1mo_1484150942_TIFFReadDirectory.c
161
162
163
164
165
166
167
168
169
170
case TIFFTAG_IMAGEDEPTH:
case TIFFTAG_TILELENGTH:
case TIFFTAG_TILEWIDTH:
case TIFFTAG_TILEDEPTH:
case TIFFTAG_PLANARCONFIG:
case TIFFTAG_ROWSPERSTRIP:
case TIFFTAG_EXTRASAMPLES:
if (!TIFFFetchNormalTag(tif,dp,0))
goto bad;
dp->tdir_tag=IGNORE;
+ show +
171
172
173
174
break;
}
}
}
+ show +
175
176
177
178
179
180
181
182
183
184
}
/*
* XXX: OJPEG hack.
* If a) compression is OJPEG, b) planarconfig tag says it's separate,
* c) strip offsets/bytecounts tag are both present and
* d) both contain exactly one value, then we consistently find
* that the buggy implementation of the buggy compression scheme
* matches contig planarconfig best. So we 'fix-up' the tag here
*/
if ((tif->tif_dir.td_compression==COMPRESSION_OJPEG)&&
.\cloneFuncs\totalClone\Type-3\CVE-2016-10095_before_1mo_1484150942_TIFFReadDirectory.c
615
616
617
618
619
620
621
622
623
624
*/
#if !defined(DEFER_STRILE_LOAD)
if (tif->tif_dir.td_nstrips > 1) {
uint32 strip;
tif->tif_dir.td_stripbytecountsorted = 1;
for (strip = 1; strip < tif->tif_dir.td_nstrips; strip++) {
if (tif->tif_dir.td_stripoffset[strip - 1] >
tif->tif_dir.td_stripoffset[strip]) {
tif->tif_dir.td_stripbytecountsorted = 0;
+ show +
625
626
627
628
break;
}
}
}
+ show +
629
630
631
632
633
634
635
636
637
638
#endif /* !defined(DEFER_STRILE_LOAD) */
/*
* An opportunity for compression mode dependent tag fixup
*/
(*tif->tif_fixuptags)(tif);
/*
* Some manufacturers make life difficult by writing
* large amounts of uncompressed data as a single strip.
.\cloneFuncs\totalClone\Type-3\CVE-2017-12991_after_imd_1486498087_bgp_attr_print.c
349
350
351
352
353
354
355
356
357
358
}
break;
default:
ND_TCHECK2(tptr[0], tlen);
ND_PRINT((ndo, "no AFI %u/SAFI %u decoder", af, safi));
if (ndo->ndo_vflag <= 1)
print_unknown_data(ndo, tptr, "\n\t ", tlen);
tptr += tlen;
tlen = 0;
goto done;
+ show +
359
360
361
362
break;
}
}
}
+ show +
363
364
365
366
367
368
369
370
371
372
ND_PRINT((ndo, ", nh-length: %u", nhlen));
tptr += tlen;
ND_TCHECK(tptr[0]);
snpa = tptr[0];
tptr++;
if (snpa) {
ND_PRINT((ndo, "\n\t %u SNPA", snpa));
for (/*nothing*/; snpa > 0; snpa--) {
.\cloneFuncs\totalClone\Type-3\CVE-2017-12991_before_6mo_1468230214_bgp_attr_print.c
349
350
351
352
353
354
355
356
357
358
}
break;
default:
ND_TCHECK2(tptr[0], tlen);
ND_PRINT((ndo, "no AFI %u/SAFI %u decoder", af, safi));
if (ndo->ndo_vflag <= 1)
print_unknown_data(ndo, tptr, "\n\t ", tlen);
tptr += tlen;
tlen = 0;
goto done;
+ show +
359
360
361
362
break;
}
}
}
+ show +
363
364
365
366
367
368
369
370
371
372
ND_PRINT((ndo, ", nh-length: %u", nhlen));
tptr += tlen;
ND_TCHECK(tptr[0]);
snpa = tptr[0];
tptr++;
if (snpa) {
ND_PRINT((ndo, "\n\t %u SNPA", snpa));
for (/*nothing*/; snpa > 0; snpa--) {
.\cloneFuncs\totalClone\Type-3\CVE-2017-9608_after_1mo_1562399506_dnxhd_find_frame_end.c
7
8
9
10
11
12
13
14
15
16
int i = 0;
if (!pic_found) {
for (i = 0; i < buf_size; i++) {
state = (state << 8) | buf[i];
if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) {
i++;
pic_found = 1;
dctx->cur_byte = 0;
dctx->remaining = 0;
+ show +
+ show +
21
22
23
24
25
26
27
28
29
30
if (pic_found && !dctx->remaining) {
if (!buf_size) /* EOF considered as end of frame */
return 0;
for (; i < buf_size; i++) {
dctx->cur_byte++;
state = (state << 8) | buf[i];
if (dctx->cur_byte == 24) {
dctx->h = (state >> 32) & 0xFFFF;
.\cloneFuncs\totalClone\Type-3\CVE-2017-9608_after_6mo_1562399570_dnxhd_find_frame_end.c
7
8
9
10
11
12
13
14
15
16
int i = 0;
if (!pic_found) {
for (i = 0; i < buf_size; i++) {
state = (state << 8) | buf[i];
if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) {
i++;
pic_found = 1;
dctx->cur_byte = 0;
dctx->remaining = 0;
+ show +
+ show +
21
22
23
24
25
26
27
28
29
30
if (pic_found && !dctx->remaining) {
if (!buf_size) /* EOF considered as end of frame */
return 0;
for (; i < buf_size; i++) {
dctx->cur_byte++;
state = (state << 8) | buf[i];
if (dctx->cur_byte == 24) {
dctx->h = (state >> 32) & 0xFFFF;
.\cloneFuncs\totalClone\Type-3\CVE-2017-9608_after_6mo_1562399570_dnxhd_find_frame_end.c
48
49
50
51
52
53
54
55
56
57
pc->frame_start_found = 0;
pc->state64 = -1;
dctx->cur_byte = 0;
dctx->remaining = 0;
return remaining;
} else {
dctx->remaining -= buf_size;
// Update variables for correctness, they are currently not used beyond here
state = -1;
dctx->cur_byte += buf_size - i;
+ show +
+ show +
62
63
64
65
66
67
68
69
70
71
} else if (pic_found) {
if (dctx->remaining > buf_size) {
dctx->remaining -= buf_size;
} else {
int remaining = dctx->remaining;
pc->frame_start_found = 0;
pc->state64 = -1;
dctx->cur_byte = 0;
dctx->remaining = 0;
.\cloneFuncs\totalClone\Type-3\CVE-2017-9608_before_1mo_1492178947_dnxhd_find_frame_end.c
11
12
13
14
15
16
17
18
19
20
if (!pic_found) {
for (i = 0; i < buf_size; i++) {
state = (state << 8) | buf[i];
if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) {
i++;
pic_found = 1;
interlaced = (state&2)>>1; /* byte following the 5-byte header prefix */
cur_field = state&1;
dctx->cur_byte = 0;
dctx->remaining = 0;
+ show +
+ show +
25
26
27
28
29
30
31
32
33
34
if (pic_found && !dctx->remaining) {
if (!buf_size) /* EOF considered as end of frame */
return 0;
for (; i < buf_size; i++) {
dctx->cur_byte++;
state = (state << 8) | buf[i];
if (dctx->cur_byte == 24) {
dctx->h = (state >> 32) & 0xFFFF;
.\cloneFuncs\totalClone\Type-3\CVE-2018-16300_after_1mo_1579492538_bgp_attr_print.c
339
340
341
342
343
344
345
346
347
348
default:
/*
* bgp_mp_af_print() should have saved us from
* an unsupported AFI/SAFI.
*/
ND_PRINT("ERROR: no AFI %u/SAFI %u nexthop decoder", af, safi);
tptr += tnhlen;
tlen -= tnhlen;
tnhlen = 0;
goto done;
+ show +
349
350
351
352
break;
}
}
}
+ show +
353
354
355
356
357
358
359
360
361
362
ND_PRINT(", nh-length: %u", nhlen);
/* As per RFC 2858; this is reserved in RFC 4760 */
if (tlen < 1)
goto trunc;
ND_TCHECK_1(tptr);
snpa = GET_U_1(tptr);
tptr++;
tlen--;
.\cloneFuncs\totalClone\Type-3\CVE-2018-16300_after_imd_1573430179_bgp_attr_print.c
339
340
341
342
343
344
345
346
347
348
default:
/*
* bgp_mp_af_print() should have saved us from
* an unsupported AFI/SAFI.
*/
ND_PRINT("ERROR: no AFI %u/SAFI %u nexthop decoder", af, safi);
tptr += tnhlen;
tlen -= tnhlen;
tnhlen = 0;
goto done;
+ show +
349
350
351
352
break;
}
}
}
+ show +
353
354
355
356
357
358
359
360
361
362
ND_PRINT(", nh-length: %u", nhlen);
/* As per RFC 2858; this is reserved in RFC 4760 */
if (tlen < 1)
goto trunc;
ND_TCHECK_1(tptr);
snpa = GET_U_1(tptr);
tptr++;
tlen--;
.\cloneFuncs\totalClone\Type-3\CVE-2018-3639_after_6mo_1543205848_kvm_get_supported_msrs.c
84
85
86
87
88
89
90
91
92
93
has_msr_hv_reenlightenment = true;
break;
case MSR_IA32_SPEC_CTRL:
has_msr_spec_ctrl = true;
break;
case MSR_VIRT_SSBD:
has_msr_virt_ssbd = true;
break;
case MSR_IA32_ARCH_CAPABILITIES:
has_msr_arch_capabs = true;
+ show +
+ show +
98
99
100
101
102
103
g_free(kvm_msr_list);
}
return ret;
}
.\cloneFuncs\totalClone\Type-3\CVE-2018-3639_before_1mo_1522429329_kvm_get_supported_msrs.c
75
76
77
78
79
80
81
82
83
84
has_msr_hv_synic = true;
break;
case HV_X64_MSR_STIMER0_CONFIG:
has_msr_hv_stimer = true;
break;
case HV_X64_MSR_TSC_FREQUENCY:
has_msr_hv_frequencies = true;
break;
case MSR_IA32_SPEC_CTRL:
has_msr_spec_ctrl = true;
+ show +
+ show +
89
90
91
92
93
94
g_free(kvm_msr_list);
}
return ret;
}
.\cloneFuncs\totalClone\Type-3\CVE-2018-3639_before_6mo_1499976921_kvm_get_supported_msrs.c
69
70
71
72
73
74
75
76
77
78
has_msr_hv_runtime = true;
break;
case HV_X64_MSR_SCONTROL:
has_msr_hv_synic = true;
break;
case HV_X64_MSR_STIMER0_CONFIG:
has_msr_hv_stimer = true;
break;
case HV_X64_MSR_TSC_FREQUENCY:
has_msr_hv_frequencies = true;
+ show +
+ show +
83
84
85
86
87
88
g_free(kvm_msr_list);
}
return ret;
}
.\cloneFuncs\totalClone\Type-4\CVE-2012-2782_after_6mo_1362392468_decode_slice_header.c
611
612
613
614
615
616
617
618
619
620
int k;
uint8_t *base = h->ref_list[j][i].f.base[0];
for (k = 0; k < h->short_ref_count; k++)
if (h->short_ref[k]->f.base[0] == base) {
id_list[i] = k;
break;
}
for (k = 0; k < h->long_ref_count; k++)
if (h->long_ref[k] && h->long_ref[k]->f.base[0] == base) {
id_list[i] = h->short_ref_count + k;
+ show +
621
622
623
624
break;
}
}
}
+ show +
625
626
627
628
629
630
631
632
633
634
ref2frm[0] =
ref2frm[1] = -1;
for (i = 0; i < 16; i++)
ref2frm[i + 2] = 4 * id_list[i] +
(h->ref_list[j][i].f.reference & 3);
ref2frm[18 + 0] =
ref2frm[18 + 1] = -1;
for (i = 16; i < 48; i++)
ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
.\cloneFuncs\totalClone\Type-4\CVE-2012-2782_after_6mo_1362608829_decode_slice_header.c
639
640
641
642
643
644
645
646
647
648
int k;
uint8_t *base = h->ref_list[j][i].f.base[0];
for (k = 0; k < h->short_ref_count; k++)
if (h->short_ref[k]->f.base[0] == base) {
id_list[i] = k;
break;
}
for (k = 0; k < h->long_ref_count; k++)
if (h->long_ref[k] && h->long_ref[k]->f.base[0] == base) {
id_list[i] = h->short_ref_count + k;
+ show +
649
650
651
652
break;
}
}
}
+ show +
653
654
655
656
657
658
659
660
661
662
ref2frm[0] =
ref2frm[1] = -1;
for (i = 0; i < 16; i++)
ref2frm[i + 2] = 4 * id_list[i] +
(h->ref_list[j][i].f.reference & 3);
ref2frm[18 + 0] =
ref2frm[18 + 1] = -1;
for (i = 16; i < 48; i++)
ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
.\cloneFuncs\totalClone\Type-4\CVE-2014-3513_after_6mo_1429163403_ssl_add_clienthello_tlsext.c
13
14
15
16
17
18
19
20
21
22
STACK_OF(SSL_CIPHER) *cipher_stack = SSL_get_ciphers(s);
for (i = 0; i < sk_SSL_CIPHER_num(cipher_stack); i++) {
SSL_CIPHER *c = sk_SSL_CIPHER_value(cipher_stack, i);
alg_k = c->algorithm_mkey;
alg_a = c->algorithm_auth;
if ((alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe)
|| (alg_a & SSL_aECDSA))) {
using_ecc = 1;
+ show +
+ show +
27
28
29
30
31
32
33
34
35
36
# endif
ret += 2;
if (ret >= limit)
return NULL; /* this really never occurs, but ... */
/* Add RI if renegotiating */
if (s->renegotiate) {
int el;
.\cloneFuncs\totalClone\Type-4\CVE-2015-0285_before_6mo_1406414860_ssl3_client_hello.c
69
70
71
72
73
74
75
76
77
78
* required to use same upon reply to HelloVerify */
if (SSL_IS_DTLS(s))
{
size_t idx;
i = 1;
for (idx=0; idx < sizeof(s->s3->client_random); idx++)
{
if (p[idx])
{
i = 0;
+ show +
+ show +
83
84
85
86
87
88
89
90
91
92
else
i = 1;
if (i)
ssl_fill_hello_random(s, 0, p,
sizeof(s->s3->client_random));
/* Do the message type and length last */
d=p= ssl_handshake_start(s);
.\cloneFuncs\totalClone\Type-4\CVE-2015-3417_after_6mo_1448399557_ff_h264_decode_slice_header.c
757
758
759
760
761
762
763
764
765
766
int k;
AVBuffer *buf = sl->ref_list[j][i].parent->f->buf[0]->buffer;
for (k = 0; k < h->short_ref_count; k++)
if (h->short_ref[k]->f->buf[0]->buffer == buf) {
id_list[i] = k;
break;
}
for (k = 0; k < h->long_ref_count; k++)
if (h->long_ref[k] && h->long_ref[k]->f->buf[0]->buffer == buf) {
id_list[i] = h->short_ref_count + k;
+ show +
767
768
769
770
break;
}
}
}
+ show +
771
772
773
774
775
776
777
778
779
780
ref2frm[0] =
ref2frm[1] = -1;
for (i = 0; i < 16; i++)
ref2frm[i + 2] = 4 * id_list[i] + (sl->ref_list[j][i].reference & 3);
ref2frm[18 + 0] =
ref2frm[18 + 1] = -1;
for (i = 16; i < 48; i++)
ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
(sl->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-4\CVE-2015-3417_before_6mo_1396608464_ff_h264_decode_slice_header.c
582
583
584
585
586
587
588
589
590
591
int k;
AVBuffer *buf = h->ref_list[j][i].f.buf[0]->buffer;
for (k = 0; k < h->short_ref_count; k++)
if (h->short_ref[k]->f.buf[0]->buffer == buf) {
id_list[i] = k;
break;
}
for (k = 0; k < h->long_ref_count; k++)
if (h->long_ref[k] && h->long_ref[k]->f.buf[0]->buffer == buf) {
id_list[i] = h->short_ref_count + k;
+ show +
592
593
594
595
break;
}
}
}
+ show +
596
597
598
599
600
601
602
603
604
605
ref2frm[0] =
ref2frm[1] = -1;
for (i = 0; i < 16; i++)
ref2frm[i + 2] = 4 * id_list[i] + (h->ref_list[j][i].reference & 3);
ref2frm[18 + 0] =
ref2frm[18 + 1] = -1;
for (i = 16; i < 48; i++)
ref2frm[i + 4] = 4 * id_list[(i - 16) >> 1] +
(h->ref_list[j][i].reference & 3);
.\cloneFuncs\totalClone\Type-4\CVE-2017-13046_after_6mo_1517362173_bgp_attr_print.c
359
360
361
362
363
364
365
366
367
368
}
break;
default:
ND_TCHECK_LEN(tptr, tlen);
ND_PRINT("no AFI %u/SAFI %u decoder", af, safi);
if (ndo->ndo_vflag <= 1)
print_unknown_data(ndo, tptr, "\n\t ", tlen);
tptr += tlen;
tlen = 0;
goto done;
+ show +
369
370
371
372
break;
}
}
}
+ show +
373
374
375
376
377
378
379
380
381
382
ND_PRINT(", nh-length: %u", nhlen);
tptr += tlen;
ND_TCHECK_1(tptr);
snpa = EXTRACT_U_1(tptr);
tptr++;
if (snpa) {
ND_PRINT("\n\t %u SNPA", snpa);
for (/*nothing*/; snpa != 0; snpa--) {
.\cloneFuncs\totalClone\Type-4\CVE-2017-15268_before_1mo_1505229707_vnc_update_client.c
49
50
51
52
53
54
55
56
57
58
bitmap_clear(vs->dirty[y], x, x2 - x);
h = find_and_clear_dirty_height(vs, y, x, x2, height);
x2 = MIN(x2, width / VNC_DIRTY_PIXELS_PER_BIT);
if (x2 > x) {
n += vnc_job_add_rect(job, x * VNC_DIRTY_PIXELS_PER_BIT, y,
(x2 - x) * VNC_DIRTY_PIXELS_PER_BIT, h);
}
if (!x && x2 == width / VNC_DIRTY_PIXELS_PER_BIT) {
y += h;
if (y == height) {
+ show +
+ show +
63
64
65
66
67
68
69
70
71
72
vnc_job_push(job);
if (sync) {
vnc_jobs_join(vs);
}
vs->force_update = 0;
vs->has_dirty = 0;
return n;
}
.\cloneFuncs\totalClone\Type-4\CVE-2017-9608_before_6mo_1455428672_dnxhd_find_frame_end.c
9
10
11
12
13
14
15
16
17
18
int cur_field = dctx->cur_field;
if (!pic_found) {
for (i = 0; i < buf_size; i++) {
state = (state << 8) | buf[i];
if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) {
i++;
pic_found = 1;
interlaced = (state&2)>>1; /* byte following the 5-byte header prefix */
cur_field = state&1;
+ show +
+ show +
23
24
25
26
27
28
29
30
31
32
if (pic_found) {
if (!buf_size) /* EOF considered as end of frame */
return 0;
for (; i < buf_size; i++) {
state = (state << 8) | buf[i];
if (ff_dnxhd_check_header_prefix(state & 0xffffffffff00LL) != 0) {
if (!interlaced || dctx->cur_field) {
pc->frame_start_found = 0;
pc->state64 = -1;
.\cloneFuncs\totalClone\Type-4\CVE-2018-8897_after_6mo_1519235653_do_debug.c
86
87
88
89
90
91
92
93
94
95
if ( (dr6 & (1u << bp)) && /* Breakpoint triggered? */
(dr7 & (3u << (bp * DR_ENABLE_SIZE))) && /* Enabled? */
((dr7 & (3u << ((bp * DR_CONTROL_SIZE) + /* Insn? */
DR_CONTROL_SHIFT))) == DR_RW_EXECUTE) )
{
ASSERT_UNREACHABLE();
printk(XENLOG_ERR
"Hit instruction breakpoint in Xen context\n");
write_debugreg(7, 0);
+ show +
+ show +
100
101
102
103
104
105
106
107
108
109
/*
* Whatever caused this #DB should be restartable by this point. Note
* it and continue. Guests can trigger this in certain corner cases,
* so ensure the message is ratelimited.
*/
gprintk(XENLOG_WARNING,
"Hit #DB in Xen context: %04x:%p [%ps], stk %04x:%p, dr6 %lx\n",
regs->cs, _p(regs->rip), _p(regs->rip),
regs->ss, _p(regs->rsp), dr6);
[ffmpeg_CVE-2012-2782_1346931008_decode_slice_header.diff] decode_slice_header_OLD.c #4
s->height = s->avctx->height;
}
+ if (h->sps.video_signal_type_present_flag) {
+ s->avctx->color_range = h->sps.full_range ? AVCOL_RANGE_JPEG
+ : AVCOL_RANGE_MPEG;
+ if (h->sps.colour_description_present_flag) {
+ s->avctx->color_primaries = h->sps.color_primaries;
+ s->avctx->color_trc = h->sps.color_trc;
+ s->avctx->colorspace = h->sps.colorspace;
+ }
+ }
+
+ ret = get_pixel_format(h);
+ if (ret < 0)
+ return ret;
+ else
+ pix_fmt = ret;
+ if (s->avctx->pix_fmt == PIX_FMT_NONE)
+ s->avctx->pix_fmt = pix_fmt;
+
if (s->context_initialized &&
- (s->width != s->avctx->width || s->height != s->avctx->height ||
+ (s->width != s->avctx->width ||
+ s->height != s->avctx->height ||
+ pix_fmt != s->avctx->pix_fmt ||
+ needs_reinit ||
av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) {
- if (h != h0 || (HAVE_THREADS && h->s.avctx->active_thread_type & FF_THREAD_FRAME)) {
- av_log_missing_feature(s->avctx,
- "Width/height changing with threads", 0);
- return AVERROR_PATCHWELCOME; // width / height changed during parallelized decoding
- }
- free_tables(h, 0);
- flush_dpb(s->avctx);
- ff_MPV_common_end(s);
- }
- if (!s->context_initialized) {
+
if (h != h0) {
- av_log(h->s.avctx, AV_LOG_ERROR,
- "Cannot (re-)initialize context during parallel decoding.\n");
- return -1;
+ av_log(s->avctx, AV_LOG_ERROR, "changing width/height on "
+ "slice %d\n", h0->current_slice + 1);
+ return AVERROR_INVALIDDATA;
}
- avcodec_set_dimensions(s->avctx, s->width, s->height);
- s->avctx->sample_aspect_ratio = h->sps.sar;
- av_assert0(s->avctx->sample_aspect_ratio.den);
-
- if (h->sps.video_signal_type_present_flag) {
- s->avctx->color_range = h->sps.full_range ? AVCOL_RANGE_JPEG
- : AVCOL_RANGE_MPEG;
- if (h->sps.colour_description_present_flag) {
- s->avctx->color_primaries = h->sps.color_primaries;
- s->avctx->color_trc = h->sps.color_trc;
- s->avctx->colorspace = h->sps.colorspace;
- }
- }
+ av_log(h->s.avctx, AV_LOG_INFO, "Reinit context to %dx%d, "
+ "pix_fmt: %d\n", s->width, s->height, pix_fmt);
- if (h->sps.timing_info_present_flag) {
- int64_t den = h->sps.time_scale;
- if (h->x264_build < 44U)
- den *= 2;
- av_reduce(&s->avctx->time_base.num, &s->avctx->time_base.den,
- h->sps.num_units_in_tick, den, 1 << 30);
- }
-
- switch (h->sps.bit_depth_luma) {
- case 9:
- if (CHROMA444) {
- if (s->avctx->colorspace == AVCOL_SPC_RGB) {
- s->avctx->pix_fmt = AV_PIX_FMT_GBRP9;
- } else
- s->avctx->pix_fmt = AV_PIX_FMT_YUV444P9;
- } else if (CHROMA422)
- s->avctx->pix_fmt = AV_PIX_FMT_YUV422P9;
- else
- s->avctx->pix_fmt = AV_PIX_FMT_YUV420P9;
- break;
- case 10:
- if (CHROMA444) {
- if (s->avctx->colorspace == AVCOL_SPC_RGB) {
- s->avctx->pix_fmt = AV_PIX_FMT_GBRP10;
- } else
- s->avctx->pix_fmt = AV_PIX_FMT_YUV444P10;
- } else if (CHROMA422)
- s->avctx->pix_fmt = AV_PIX_FMT_YUV422P10;
- else
- s->avctx->pix_fmt = AV_PIX_FMT_YUV420P10;
- break;
- case 8:
- if (CHROMA444) {
- if (s->avctx->colorspace == AVCOL_SPC_RGB) {
- s->avctx->pix_fmt = AV_PIX_FMT_GBRP;
- } else
- s->avctx->pix_fmt = s->avctx->color_range == AVCOL_RANGE_JPEG ? AV_PIX_FMT_YUVJ444P
- : AV_PIX_FMT_YUV444P;
- } else if (CHROMA422) {
- s->avctx->pix_fmt = s->avctx->color_range == AVCOL_RANGE_JPEG ? AV_PIX_FMT_YUVJ422P
- : AV_PIX_FMT_YUV422P;
- } else {
- s->avctx->pix_fmt = s->avctx->get_format(s->avctx,
- s->avctx->codec->pix_fmts ?
- s->avctx->codec->pix_fmts :
- s->avctx->color_range == AVCOL_RANGE_JPEG ?
- hwaccel_pixfmt_list_h264_jpeg_420 :
- ff_hwaccel_pixfmt_list_420);
- }
- break;
- default:
- av_log(s->avctx, AV_LOG_ERROR,
- "Unsupported bit depth: %d\n", h->sps.bit_depth_luma);
- return AVERROR_INVALIDDATA;
- }
+ flush_change(h);
- s->avctx->hwaccel = ff_find_hwaccel(s->avctx->codec->id,
- s->avctx->pix_fmt);
+ s->avctx->pix_fmt = pix_fmt;
- if (ff_MPV_common_init(s) < 0) {
- av_log(h->s.avctx, AV_LOG_ERROR, "ff_MPV_common_init() failed.\n");
- return -1;
+ if ((ret = h264_slice_header_init(h, 1)) < 0) {
+ av_log(h->s.avctx, AV_LOG_ERROR,
+ "h264_slice_header_init() failed\n");
+ return ret;
}
- s->first_field = 0;
- h->prev_interlaced_frame = 1;
-
- init_scan_tables(h);
- if (ff_h264_alloc_tables(h) < 0) {
+ h->context_reinitialized = 1;
+ }
+ if (!s->context_initialized) {
+ if (h != h0) {
av_log(h->s.avctx, AV_LOG_ERROR,
- "Could not allocate memory for h264\n");
- return AVERROR(ENOMEM);
+ "Cannot (re-)initialize context during parallel decoding.\n");
+ return -1;
}
-
- if (!HAVE_THREADS || !(s->avctx->active_thread_type & FF_THREAD_SLICE)) {
- if (context_init(h) < 0) {
- av_log(h->s.avctx, AV_LOG_ERROR, "context_init() failed.\n");
- return -1;
- }
- } else {
- for (i = 1; i < s->slice_context_count; i++) {
- H264Context *c;
- c = h->thread_context[i] = av_malloc(sizeof(H264Context));
- memcpy(c, h->s.thread_context[i], sizeof(MpegEncContext));
- memset(&c->s + 1, 0, sizeof(H264Context) - sizeof(MpegEncContext));
- c->h264dsp = h->h264dsp;
- c->sps = h->sps;
- c->pps = h->pps;
- c->pixel_shift = h->pixel_shift;
- init_scan_tables(c);
- clone_tables(c, h, i);
- }
-
- for (i = 0; i < s->slice_context_count; i++)
- if (context_init(h->thread_context[i]) < 0) {
- av_log(h->s.avctx, AV_LOG_ERROR,
- "context_init() failed.\n");
- return -1;
- }
+ if ((ret = h264_slice_header_init(h, 0)) < 0) {
+ av_log(h->s.avctx, AV_LOG_ERROR,
+ "h264_slice_header_init() failed\n");
+ return ret;
}
}
.\cloneFuncs\totalClone\Type-1\CVE-2012-2782_before_imd_1353879727_decode_slice_header.c
105
106
107
108
109
110
111
112
113
114
s->width = 16 * s->mb_width - (2 >> CHROMA444) * FFMIN(h->sps.crop_right, (8 << CHROMA444) - 1);
if (h->sps.frame_mbs_only_flag)
s->height = 16 * s->mb_height - (1 << s->chroma_y_shift) * FFMIN(h->sps.crop_bottom, (16 >> s->chroma_y_shift) - 1);
else
s->height = 16 * s->mb_height - (2 << s->chroma_y_shift) * FFMIN(h->sps.crop_bottom, (16 >> s->chroma_y_shift) - 1);
if (FFALIGN(s->avctx->width, 16) == s->width &&
FFALIGN(s->avctx->height, 16) == s->height) {
s->width = s->avctx->width;
+ show +
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
s->height = s->avctx->height;
}
if (s->context_initialized &&
(s->width != s->avctx->width || s->height != s->avctx->height ||
av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) {
if (h != h0 || (HAVE_THREADS && h->s.avctx->active_thread_type & FF_THREAD_FRAME)) {
av_log_missing_feature(s->avctx,
"Width/height changing with threads", 0);
return AVERROR_PATCHWELCOME; // width / height changed during parallelized decoding
}
free_tables(h, 0);
flush_dpb(s->avctx);
ff_MPV_common_end(s);
}
if (!s->context_initialized) {
if (h != h0) {
av_log(h->s.avctx, AV_LOG_ERROR,
"Cannot (re-)initialize context during parallel decoding.\n");
return -1;
}
avcodec_set_dimensions(s->avctx, s->width, s->height);
s->avctx->sample_aspect_ratio = h->sps.sar;
av_assert0(s->avctx->sample_aspect_ratio.den);
if (h->sps.video_signal_type_present_flag) {
s->avctx->color_range = h->sps.full_range ? AVCOL_RANGE_JPEG
: AVCOL_RANGE_MPEG;
if (h->sps.colour_description_present_flag) {
s->avctx->color_primaries = h->sps.color_primaries;
s->avctx->color_trc = h->sps.color_trc;
s->avctx->colorspace = h->sps.colorspace;
}
}
if (h->sps.timing_info_present_flag) {
int64_t den = h->sps.time_scale;
if (h->x264_build < 44U)
den *= 2;
av_reduce(&s->avctx->time_base.num, &s->avctx->time_base.den,
h->sps.num_units_in_tick, den, 1 << 30);
}
switch (h->sps.bit_depth_luma) {
case 9:
if (CHROMA444) {
if (s->avctx->colorspace == AVCOL_SPC_RGB) {
s->avctx->pix_fmt = AV_PIX_FMT_GBRP9;
} else
s->avctx->pix_fmt = AV_PIX_FMT_YUV444P9;
} else if (CHROMA422)
s->avctx->pix_fmt = AV_PIX_FMT_YUV422P9;
else
s->avctx->pix_fmt = AV_PIX_FMT_YUV420P9;
break;
case 10:
if (CHROMA444) {
if (s->avctx->colorspace == AVCOL_SPC_RGB) {
s->avctx->pix_fmt = AV_PIX_FMT_GBRP10;
} else
s->avctx->pix_fmt = AV_PIX_FMT_YUV444P10;
} else if (CHROMA422)
s->avctx->pix_fmt = AV_PIX_FMT_YUV422P10;
else
s->avctx->pix_fmt = AV_PIX_FMT_YUV420P10;
break;
case 8:
if (CHROMA444) {
if (s->avctx->colorspace == AVCOL_SPC_RGB) {
s->avctx->pix_fmt = AV_PIX_FMT_GBRP;
} else
s->avctx->pix_fmt = s->avctx->color_range == AVCOL_RANGE_JPEG ? AV_PIX_FMT_YUVJ444P
: AV_PIX_FMT_YUV444P;
} else if (CHROMA422) {
s->avctx->pix_fmt = s->avctx->color_range == AVCOL_RANGE_JPEG ? AV_PIX_FMT_YUVJ422P
: AV_PIX_FMT_YUV422P;
} else {
s->avctx->pix_fmt = s->avctx->get_format(s->avctx,
s->avctx->codec->pix_fmts ?
s->avctx->codec->pix_fmts :
s->avctx->color_range == AVCOL_RANGE_JPEG ?
hwaccel_pixfmt_list_h264_jpeg_420 :
ff_hwaccel_pixfmt_list_420);
}
break;
default:
av_log(s->avctx, AV_LOG_ERROR,
"Unsupported bit depth: %d\n", h->sps.bit_depth_luma);
return AVERROR_INVALIDDATA;
}
s->avctx->hwaccel = ff_find_hwaccel(s->avctx->codec->id,
s->avctx->pix_fmt);
if (ff_MPV_common_init(s) < 0) {
av_log(h->s.avctx, AV_LOG_ERROR, "ff_MPV_common_init() failed.\n");
return -1;
}
s->first_field = 0;
h->prev_interlaced_frame = 1;
init_scan_tables(h);
if (ff_h264_alloc_tables(h) < 0) {
av_log(h->s.avctx, AV_LOG_ERROR,
"Could not allocate memory for h264\n");
return AVERROR(ENOMEM);
}
if (!HAVE_THREADS || !(s->avctx->active_thread_type & FF_THREAD_SLICE)) {
if (context_init(h) < 0) {
av_log(h->s.avctx, AV_LOG_ERROR, "context_init() failed.\n");
return -1;
}
} else {
for (i = 1; i < s->slice_context_count; i++) {
H264Context *c;
c = h->thread_context[i] = av_malloc(sizeof(H264Context));
memcpy(c, h->s.thread_context[i], sizeof(MpegEncContext));
memset(&c->s + 1, 0, sizeof(H264Context) - sizeof(MpegEncContext));
c->h264dsp = h->h264dsp;
c->sps = h->sps;
c->pps = h->pps;
c->pixel_shift = h->pixel_shift;
init_scan_tables(c);
clone_tables(c, h, i);
}
for (i = 0; i < s->slice_context_count; i++)
if (context_init(h->thread_context[i]) < 0) {
av_log(h->s.avctx, AV_LOG_ERROR,
"context_init() failed.\n");
return -1;
}
}
}
+ show +
251
252
253
254
255
256
257
258
259
260
if (h == h0 && h->dequant_coeff_pps != pps_id) {
h->dequant_coeff_pps = pps_id;
init_dequant_tables(h);
}
h->frame_num = get_bits(&s->gb, h->sps.log2_max_frame_num);
h->mb_mbaff = 0;
h->mb_aff_frame = 0;
[xen_CVE-2016-9383_1479818946_x86_emulate.diff] x86_emulate_OLD.c #1
else
{
/*
+ * Instructions such as bt can reference an arbitrary offset from
+ * their memory operand, but the instruction doing the actual
+ * emulation needs the appropriate op_bytes read from memory.
+ * Adjust both the source register and memory operand to make an
+ * equivalent instruction.
+ *
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
.\cloneFuncs\totalClone\Type-1\CVE-2013-4361_before_imd_1379922749_x86_emulate.c
444
445
446
447
448
449
450
451
452
453
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
454
455
456
457
458
459
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
460
461
462
463
464
465
466
467
468
469
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_imd_1411978981_x86_emulate.c
445
446
447
448
449
450
451
452
453
454
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
455
456
457
458
459
460
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
461
462
463
464
465
466
467
468
469
470
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-1\CVE-2015-2151_after_imd_1426079282_x86_emulate.c
445
446
447
448
449
450
451
452
453
454
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
455
456
457
458
459
460
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
461
462
463
464
465
466
467
468
469
470
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-1\CVE-2015-2151_before_1mo_1421073672_x86_emulate.c
445
446
447
448
449
450
451
452
453
454
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
455
456
457
458
459
460
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
461
462
463
464
465
466
467
468
469
470
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-1\CVE-2016-7093_before_imd_1472818823_x86_emulate.c
481
482
483
484
485
486
487
488
489
490
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
491
492
493
494
495
496
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
497
498
499
500
501
502
503
504
505
506
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-1\CVE-2016-9383_before_imd_1479818690_x86_emulate.c
132
133
134
135
136
137
138
139
140
141
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
142
143
144
145
146
147
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
148
149
150
151
152
153
154
155
156
157
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-2\CVE-2016-7093_after_1mo_1474903296_x86_emulate.c
477
478
479
480
481
482
483
484
485
486
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
487
488
489
490
491
492
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
493
494
495
496
497
498
499
500
501
502
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_1mo_1384879288_x86_emulate.c
444
445
446
447
448
449
450
451
452
453
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
454
455
456
457
458
459
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
460
461
462
463
464
465
466
467
468
469
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_6mo_1407483243_x86_emulate.c
444
445
446
447
448
449
450
451
452
453
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
454
455
456
457
458
459
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
460
461
462
463
464
465
466
467
468
469
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_1mo_1377702230_x86_emulate.c
409
410
411
412
413
414
415
416
417
418
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
419
420
421
422
423
424
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
425
426
427
428
429
430
431
432
433
434
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_6mo_1352368352_x86_emulate.c
412
413
414
415
416
417
418
419
420
421
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
422
423
424
425
426
427
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
428
429
430
431
432
433
434
435
436
437
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_after_6mo_1431943891_x86_emulate.c
446
447
448
449
450
451
452
453
454
455
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
456
457
458
459
460
461
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
462
463
464
465
466
467
468
469
470
471
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_after_imd_1421073606_x86_emulate.c
445
446
447
448
449
450
451
452
453
454
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
455
456
457
458
459
460
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
461
462
463
464
465
466
467
468
469
470
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_before_1mo_1411978847_x86_emulate.c
445
446
447
448
449
450
451
452
453
454
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
455
456
457
458
459
460
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
461
462
463
464
465
466
467
468
469
470
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2015-2151_after_1mo_1430733341_x86_emulate.c
446
447
448
449
450
451
452
453
454
455
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
456
457
458
459
460
461
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
462
463
464
465
466
467
468
469
470
471
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2015-2151_after_6mo_1450703102_x86_emulate.c
447
448
449
450
451
452
453
454
455
456
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
457
458
459
460
461
462
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
463
464
465
466
467
468
469
470
471
472
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2016-7093_before_1mo_1463652393_x86_emulate.c
451
452
453
454
455
456
457
458
459
460
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
461
462
463
464
465
466
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
467
468
469
470
471
472
473
474
475
476
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2016-7093_before_6mo_1452763955_x86_emulate.c
447
448
449
450
451
452
453
454
455
456
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
457
458
459
460
461
462
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
463
464
465
466
467
468
469
470
471
472
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
.\cloneFuncs\totalClone\Type-3\CVE-2016-9383_before_1mo_1476446956_x86_emulate.c
132
133
134
135
136
137
138
139
140
141
case 4: dst.val = *(uint32_t *)dst.reg; break;
case 8: dst.val = *(uint64_t *)dst.reg; break;
}
}
break;
case DstBitBase:
if ( ((d & SrcMask) == SrcImmByte) || (ea.type == OP_REG) )
{
src.val &= (op_bytes << 3) - 1;
}
+ show +
142
143
144
145
146
147
else
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
+ show +
148
149
150
151
152
153
154
155
156
157
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
[xen_CVE-2016-9383_1479818946_x86_emulate.diff] x86_emulate_OLD.c #2
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
- unsigned long byte_offset;
- byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
+ unsigned long byte_offset =
+ op_bytes + (((-src.val - 1) >> 3) & ~(op_bytes - 1L));
+
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
- ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
+ ea.mem.off += (src.val >> 3) & ~(op_bytes - 1L);
src.val &= (op_bytes << 3) - 1;
}
}
.\cloneFuncs\totalClone\Type-1\CVE-2013-4361_before_imd_1379922749_x86_emulate.c
455
456
457
458
459
460
461
462
463
464
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
465
466
467
468
469
470
471
472
473
474
475
476
477
478
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
479
480
481
482
483
484
485
486
487
488
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-1\CVE-2014-8595_before_imd_1411978981_x86_emulate.c
456
457
458
459
460
461
462
463
464
465
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
466
467
468
469
470
471
472
473
474
475
476
477
478
479
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
480
481
482
483
484
485
486
487
488
489
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-1\CVE-2015-2151_after_imd_1426079282_x86_emulate.c
456
457
458
459
460
461
462
463
464
465
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
466
467
468
469
470
471
472
473
474
475
476
477
478
479
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
480
481
482
483
484
485
486
487
488
489
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-1\CVE-2015-2151_before_1mo_1421073672_x86_emulate.c
456
457
458
459
460
461
462
463
464
465
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
466
467
468
469
470
471
472
473
474
475
476
477
478
479
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
480
481
482
483
484
485
486
487
488
489
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-1\CVE-2016-7093_before_imd_1472818823_x86_emulate.c
492
493
494
495
496
497
498
499
500
501
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
502
503
504
505
506
507
508
509
510
511
512
513
514
515
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
516
517
518
519
520
521
522
523
524
525
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-1\CVE-2016-9383_before_imd_1479818690_x86_emulate.c
143
144
145
146
147
148
149
150
151
152
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
153
154
155
156
157
158
159
160
161
162
163
164
165
166
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
167
168
169
170
171
172
173
174
175
176
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-2\CVE-2016-7093_after_1mo_1474903296_x86_emulate.c
488
489
490
491
492
493
494
495
496
497
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
498
499
500
501
502
503
504
505
506
507
508
509
510
511
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
512
513
514
515
516
517
518
519
520
521
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_1mo_1384879288_x86_emulate.c
455
456
457
458
459
460
461
462
463
464
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
465
466
467
468
469
470
471
472
473
474
475
476
477
478
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
479
480
481
482
483
484
485
486
487
488
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_after_6mo_1407483243_x86_emulate.c
455
456
457
458
459
460
461
462
463
464
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
465
466
467
468
469
470
471
472
473
474
475
476
477
478
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
479
480
481
482
483
484
485
486
487
488
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_1mo_1377702230_x86_emulate.c
420
421
422
423
424
425
426
427
428
429
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
430
431
432
433
434
435
436
437
438
439
440
441
442
443
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
444
445
446
447
448
449
450
451
452
453
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-3\CVE-2013-4361_before_6mo_1352368352_x86_emulate.c
423
424
425
426
427
428
429
430
431
432
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
433
434
435
436
437
438
439
440
441
442
443
444
445
446
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
447
448
449
450
451
452
453
454
455
456
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_after_6mo_1431943891_x86_emulate.c
457
458
459
460
461
462
463
464
465
466
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
467
468
469
470
471
472
473
474
475
476
477
478
479
480
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
481
482
483
484
485
486
487
488
489
490
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_after_imd_1421073606_x86_emulate.c
456
457
458
459
460
461
462
463
464
465
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
466
467
468
469
470
471
472
473
474
475
476
477
478
479
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
480
481
482
483
484
485
486
487
488
489
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-3\CVE-2014-8595_before_1mo_1411978847_x86_emulate.c
456
457
458
459
460
461
462
463
464
465
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
466
467
468
469
470
471
472
473
474
475
476
477
478
479
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
480
481
482
483
484
485
486
487
488
489
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-3\CVE-2015-2151_after_1mo_1430733341_x86_emulate.c
457
458
459
460
461
462
463
464
465
466
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
467
468
469
470
471
472
473
474
475
476
477
478
479
480
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
481
482
483
484
485
486
487
488
489
490
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-3\CVE-2015-2151_after_6mo_1450703102_x86_emulate.c
458
459
460
461
462
463
464
465
466
467
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
468
469
470
471
472
473
474
475
476
477
478
479
480
481
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
482
483
484
485
486
487
488
489
490
491
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-3\CVE-2016-7093_before_1mo_1463652393_x86_emulate.c
462
463
464
465
466
467
468
469
470
471
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
472
473
474
475
476
477
478
479
480
481
482
483
484
485
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
486
487
488
489
490
491
492
493
494
495
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-3\CVE-2016-7093_before_6mo_1452763955_x86_emulate.c
458
459
460
461
462
463
464
465
466
467
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
468
469
470
471
472
473
474
475
476
477
478
479
480
481
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
482
483
484
485
486
487
488
489
490
491
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
.\cloneFuncs\totalClone\Type-3\CVE-2016-9383_before_1mo_1476446956_x86_emulate.c
143
144
145
146
147
148
149
150
151
152
{
/*
* EA += BitOffset DIV op_bytes*8
* BitOffset = BitOffset MOD op_bytes*8
* DIV truncates towards negative infinity.
* MOD always produces a positive result.
*/
if ( op_bytes == 2 )
src.val = (int16_t)src.val;
else if ( op_bytes == 4 )
+ show +
153
154
155
156
157
158
159
160
161
162
163
164
165
166
src.val = (int32_t)src.val;
if ( (long)src.val < 0 )
{
unsigned long byte_offset;
byte_offset = op_bytes + (((-src.val-1) >> 3) & ~(op_bytes-1));
ea.mem.off -= byte_offset;
src.val = (byte_offset << 3) + src.val;
}
else
{
ea.mem.off += (src.val >> 3) & ~(op_bytes - 1);
src.val &= (op_bytes << 3) - 1;
}
}
+ show +
167
168
169
170
171
172
173
174
175
176
/* Becomes a normal DstMem operation from here on. */
d = (d & ~DstMask) | DstMem;
case DstMem:
ea.bytes = (d & ByteOp) ? 1 : op_bytes;
dst = ea;
if ( dst.type == OP_REG )
{
generate_exception_if(lock_prefix, EXC_UD, -1);
switch ( dst.bytes )
{
[openssl_CVE-2014-0076_1394633779_ec_GF2m_montgomery_point_multiply.diff] ec_GF2m_montgomery_point_multiply_OLD.c #2
word = scalar->d[i];
while (mask)
{
- if (word & mask)
- {
- if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err;
- if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err;
- }
- else
- {
- if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
- if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
- }
+ BN_consttime_swap(word & mask, x1, x2, group->field.top);
+ BN_consttime_swap(word & mask, z1, z2, group->field.top);
+ if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
+ if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
+ BN_consttime_swap(word & mask, x1, x2, group->field.top);
+ BN_consttime_swap(word & mask, z1, z2, group->field.top);
mask >>= 1;
}
mask = BN_TBIT;
.\cloneFuncs\totalClone\Type-1\CVE-2014-0076_before_1mo_1297531412_ec_GF2m_montgomery_point_multiply.c
44
45
46
47
48
49
50
51
52
53
mask >>= 1;
/* if top most bit was at word break, go to next word */
if (!mask)
{
i--;
mask = BN_TBIT;
}
for (; i >= 0; i--)
{
+ show +
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
word = scalar->d[i];
while (mask)
{
if (word & mask)
{
if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err;
if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err;
}
else
{
if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
}
mask >>= 1;
}
mask = BN_TBIT;
+ show +
70
71
72
73
74
75
76
77
78
79
}
/* convert out of "projective" coordinates */
i = gf2m_Mxy(group, &point->X, &point->Y, x1, z1, x2, z2, ctx);
if (i == 0) goto err;
else if (i == 1)
{
if (!EC_POINT_set_to_infinity(group, r)) goto err;
}
else
[openssl_CVE-2018-0739_1521711593_asn1_item_embed_d2i.diff] asn1_item_embed_d2i_OLD.c #3
goto err;
}
return asn1_template_ex_d2i(pval, in, len,
- it->templates, opt, ctx);
+ it->templates, opt, ctx, depth);
}
return asn1_d2i_ex_primitive(pval, in, len, it,
tag, aclass, opt, ctx);
.\cloneFuncs\totalClone\Type-1\CVE-2015-0287_before_imd_1422492849_ASN1_item_ex_d2i.c
28
29
30
31
32
33
34
35
36
37
if (it->templates) {
/*
* tagging or OPTIONAL is currently illegal on an item template
* because the flags can't get passed down. In practice this
* isn't a problem: we include the relevant flags from the item
* template in the template itself.
*/
if ((tag != -1) || opt) {
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+ show +
38
39
40
41
42
43
44
goto err;
}
return asn1_template_ex_d2i(pval, in, len,
it->templates, opt, ctx);
}
return asn1_d2i_ex_primitive(pval, in, len, it,
tag, aclass, opt, ctx);
+ show +
45
46
47
48
49
50
51
52
53
54
case ASN1_ITYPE_MSTRING:
p = *in;
/* Just read in tag and class */
ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
&p, len, -1, 0, 1, ctx);
if (!ret) {
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
goto err;
}
.\cloneFuncs\totalClone\Type-1\CVE-2016-7053_after_imd_1506564784_asn1_item_embed_d2i.c
26
27
28
29
30
31
32
33
34
35
if (it->templates) {
/*
* tagging or OPTIONAL is currently illegal on an item template
* because the flags can't get passed down. In practice this
* isn't a problem: we include the relevant flags from the item
* template in the template itself.
*/
if ((tag != -1) || opt) {
ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I,
ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+ show +
36
37
38
39
40
41
42
goto err;
}
return asn1_template_ex_d2i(pval, in, len,
it->templates, opt, ctx);
}
return asn1_d2i_ex_primitive(pval, in, len, it,
tag, aclass, opt, ctx);
+ show +
43
44
45
46
47
48
49
50
51
52
case ASN1_ITYPE_MSTRING:
p = *in;
/* Just read in tag and class */
ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
&p, len, -1, 0, 1, ctx);
if (!ret) {
ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR);
goto err;
}
.\cloneFuncs\totalClone\Type-1\CVE-2016-7053_before_1mo_1467757466_asn1_item_embed_d2i.c
26
27
28
29
30
31
32
33
34
35
if (it->templates) {
/*
* tagging or OPTIONAL is currently illegal on an item template
* because the flags can't get passed down. In practice this
* isn't a problem: we include the relevant flags from the item
* template in the template itself.
*/
if ((tag != -1) || opt) {
ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I,
ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+ show +
36
37
38
39
40
41
42
goto err;
}
return asn1_template_ex_d2i(pval, in, len,
it->templates, opt, ctx);
}
return asn1_d2i_ex_primitive(pval, in, len, it,
tag, aclass, opt, ctx);
+ show +
43
44
45
46
47
48
49
50
51
52
case ASN1_ITYPE_MSTRING:
p = *in;
/* Just read in tag and class */
ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
&p, len, -1, 0, 1, ctx);
if (!ret) {
ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR);
goto err;
}
.\cloneFuncs\totalClone\Type-3\CVE-2015-0287_after_1mo_1427298176_ASN1_item_ex_d2i.c
26
27
28
29
30
31
32
33
34
35
if (it->templates) {
/*
* tagging or OPTIONAL is currently illegal on an item template
* because the flags can't get passed down. In practice this
* isn't a problem: we include the relevant flags from the item
* template in the template itself.
*/
if ((tag != -1) || opt) {
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+ show +
36
37
38
39
40
41
42
goto err;
}
return asn1_template_ex_d2i(pval, in, len,
it->templates, opt, ctx);
}
return asn1_d2i_ex_primitive(pval, in, len, it,
tag, aclass, opt, ctx);
+ show +
43
44
45
46
47
48
49
50
51
52
case ASN1_ITYPE_MSTRING:
p = *in;
/* Just read in tag and class */
ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
&p, len, -1, 0, 1, ctx);
if (!ret) {
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
goto err;
}
.\cloneFuncs\totalClone\Type-3\CVE-2015-0287_after_6mo_1439820138_ASN1_item_ex_d2i.c
26
27
28
29
30
31
32
33
34
35
if (it->templates) {
/*
* tagging or OPTIONAL is currently illegal on an item template
* because the flags can't get passed down. In practice this
* isn't a problem: we include the relevant flags from the item
* template in the template itself.
*/
if ((tag != -1) || opt) {
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+ show +
36
37
38
39
40
41
42
goto err;
}
return asn1_template_ex_d2i(pval, in, len,
it->templates, opt, ctx);
}
return asn1_d2i_ex_primitive(pval, in, len, it,
tag, aclass, opt, ctx);
+ show +
43
44
45
46
47
48
49
50
51
52
case ASN1_ITYPE_MSTRING:
p = *in;
/* Just read in tag and class */
ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
&p, len, -1, 0, 1, ctx);
if (!ret) {
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
goto err;
}
.\cloneFuncs\totalClone\Type-3\CVE-2015-0287_before_1mo_1421898055_ASN1_item_ex_d2i.c
28
29
30
31
32
33
34
35
36
37
if (it->templates) {
/*
* tagging or OPTIONAL is currently illegal on an item template
* because the flags can't get passed down. In practice this
* isn't a problem: we include the relevant flags from the item
* template in the template itself.
*/
if ((tag != -1) || opt) {
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+ show +
38
39
40
41
42
43
44
goto err;
}
return asn1_template_ex_d2i(pval, in, len,
it->templates, opt, ctx);
}
return asn1_d2i_ex_primitive(pval, in, len, it,
tag, aclass, opt, ctx);
+ show +
45
46
47
48
49
50
51
52
53
54
break;
case ASN1_ITYPE_MSTRING:
p = *in;
/* Just read in tag and class */
ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
&p, len, -1, 0, 1, ctx);
if (!ret) {
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
goto err;
.\cloneFuncs\totalClone\Type-3\CVE-2016-7053_before_6mo_1459370225_asn1_item_embed_d2i.c
26
27
28
29
30
31
32
33
34
35
if (it->templates) {
/*
* tagging or OPTIONAL is currently illegal on an item template
* because the flags can't get passed down. In practice this
* isn't a problem: we include the relevant flags from the item
* template in the template itself.
*/
if ((tag != -1) || opt) {
ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I,
ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+ show +
36
37
38
39
40
41
42
goto err;
}
return asn1_template_ex_d2i(pval, in, len,
it->templates, opt, ctx);
}
return asn1_d2i_ex_primitive(pval, in, len, it,
tag, aclass, opt, ctx);
+ show +
43
44
45
46
47
48
49
50
51
52
case ASN1_ITYPE_MSTRING:
p = *in;
/* Just read in tag and class */
ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
&p, len, -1, 0, 1, ctx);
if (!ret) {
ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ERR_R_NESTED_ASN1_ERROR);
goto err;
}
.\cloneFuncs\totalClone\Type-4\CVE-2015-0287_before_6mo_1276352003_ASN1_item_ex_d2i.c
30
31
32
33
34
35
36
37
38
39
/* tagging or OPTIONAL is currently illegal on an item
* template because the flags can't get passed down.
* In practice this isn't a problem: we include the
* relevant flags from the item template in the
* template itself.
*/
if ((tag != -1) || opt)
{
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);
+ show +
40
41
42
43
44
45
46
goto err;
}
return asn1_template_ex_d2i(pval, in, len,
it->templates, opt, ctx);
}
return asn1_d2i_ex_primitive(pval, in, len, it,
tag, aclass, opt, ctx);
+ show +
47
48
49
50
51
52
53
54
55
56
break;
case ASN1_ITYPE_MSTRING:
p = *in;
/* Just read in tag and class */
ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
&p, len, -1, 0, 1, ctx);
if (!ret)
{
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
[openssl_CVE-2016-0702_1453761661_BN_mod_exp_mont_consttime.diff] BN_mod_exp_mont_consttime_OLD.c #6
}
}
for (; i < 16; i += 2) {
- bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1);
+ bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np, n0, top, i - 1);
bn_scatter5(tmp.d, top, powerbuf, i);
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
bn_scatter5(tmp.d, top, powerbuf, 2 * i);
}
for (; i < 32; i += 2) {
- bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1);
+ bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np, n0, top, i - 1);
bn_scatter5(tmp.d, top, powerbuf, i);
}
# endif
.\cloneFuncs\totalClone\Type-1\CVE-2016-0702_before_imd_1453750718_BN_mod_exp_mont_consttime.c
350
351
352
353
354
355
356
357
358
359
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
bn_scatter5(tmp.d, top, powerbuf, i);
}
for (i = 3; i < 8; i += 2) {
int j;
bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1);
bn_scatter5(tmp.d, top, powerbuf, i);
for (j = 2 * i; j < 32; j *= 2) {
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
bn_scatter5(tmp.d, top, powerbuf, j);
+ show +
360
361
362
363
364
365
366
367
368
369
370
371
372
}
}
for (; i < 16; i += 2) {
bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1);
bn_scatter5(tmp.d, top, powerbuf, i);
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
bn_scatter5(tmp.d, top, powerbuf, 2 * i);
}
for (; i < 32; i += 2) {
bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1);
bn_scatter5(tmp.d, top, powerbuf, i);
}
# endif
+ show +
373
374
375
376
377
378
379
380
381
382
bits--;
for (wvalue = 0, i = bits % 5; i >= 0; i--, bits--)
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
bn_gather5(tmp.d, top, powerbuf, wvalue);
/*
* Scan the exponent one window at a time starting from the most
* significant bits.
*/
if (top & 7)
.\cloneFuncs\totalClone\Type-2\CVE-2016-0702_before_1mo_1450535897_BN_mod_exp_mont_consttime.c
350
351
352
353
354
355
356
357
358
359
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
bn_scatter5(tmp.d, top, powerbuf, i);
}
for (i = 3; i < 8; i += 2) {
int j;
bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1);
bn_scatter5(tmp.d, top, powerbuf, i);
for (j = 2 * i; j < 32; j *= 2) {
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
bn_scatter5(tmp.d, top, powerbuf, j);
+ show +
360
361
362
363
364
365
366
367
368
369
370
371
372
}
}
for (; i < 16; i += 2) {
bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1);
bn_scatter5(tmp.d, top, powerbuf, i);
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
bn_scatter5(tmp.d, top, powerbuf, 2 * i);
}
for (; i < 32; i += 2) {
bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1);
bn_scatter5(tmp.d, top, powerbuf, i);
}
# endif
+ show +
373
374
375
376
377
378
379
380
381
382
bits--;
for (wvalue = 0, i = bits % 5; i >= 0; i--, bits--)
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
bn_gather5(tmp.d, top, powerbuf, wvalue);
/*
* Scan the exponent one window at a time starting from the most
* significant bits.
*/
if (top & 7)
.\cloneFuncs\totalClone\Type-3\CVE-2016-0702_before_6mo_1435017346_BN_mod_exp_mont_consttime.c
343
344
345
346
347
348
349
350
351
352
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
bn_scatter5(tmp.d, top, powerbuf, i);
}
for (i = 3; i < 8; i += 2) {
int j;
bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1);
bn_scatter5(tmp.d, top, powerbuf, i);
for (j = 2 * i; j < 32; j *= 2) {
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
bn_scatter5(tmp.d, top, powerbuf, j);
+ show +
353
354
355
356
357
358
359
360
361
362
363
364
365
}
}
for (; i < 16; i += 2) {
bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1);
bn_scatter5(tmp.d, top, powerbuf, i);
bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);
bn_scatter5(tmp.d, top, powerbuf, 2 * i);
}
for (; i < 32; i += 2) {
bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np2, n0, top, i - 1);
bn_scatter5(tmp.d, top, powerbuf, i);
}
# endif
+ show +
366
367
368
369
370
371
372
373
374
375
bits--;
for (wvalue = 0, i = bits % 5; i >= 0; i--, bits--)
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
bn_gather5(tmp.d, top, powerbuf, wvalue);
/*
* Scan the exponent one window at a time starting from the most
* significant bits.
*/
if (top & 7)
[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #12
break;
case LMP_CTYPE_IPV6:
+ if (obj_tlen != 36) {
+ ND_PRINT((ndo, " (not correct for object)"));
+ break;
+ }
+ ND_PRINT((ndo, "\n\t Flags: [%s]",
+ bittok2str(lmp_obj_te_link_flag_values,
+ "none",
+ EXTRACT_8BITS(obj_tptr))));
+
+ ND_PRINT((ndo, "\n\t Local Link-ID: %s (0x%08x)"
+ "\n\t Remote Link-ID: %s (0x%08x)",
+ ip6addr_string(ndo, obj_tptr+4),
+ EXTRACT_32BITS(obj_tptr+4),
+ ip6addr_string(ndo, obj_tptr+20),
+ EXTRACT_32BITS(obj_tptr+20)));
+ break;
+
case LMP_CTYPE_UNMD:
+ if (obj_tlen != 12) {
+ ND_PRINT((ndo, " (not correct for object)"));
+ break;
+ }
+ ND_PRINT((ndo, "\n\t Flags: [%s]",
+ bittok2str(lmp_obj_te_link_flag_values,
+ "none",
+ EXTRACT_8BITS(obj_tptr))));
+
+ ND_PRINT((ndo, "\n\t Local Link-ID: %u (0x%08x)"
+ "\n\t Remote Link-ID: %u (0x%08x)",
+ EXTRACT_32BITS(obj_tptr+4),
+ EXTRACT_32BITS(obj_tptr+4),
+ EXTRACT_32BITS(obj_tptr+8),
+ EXTRACT_32BITS(obj_tptr+8)));
+ break;
+
default:
hexdump=TRUE;
}
break;
case LMP_OBJ_DATA_LINK:
- ND_PRINT((ndo, "\n\t Flags: [%s]",
- bittok2str(lmp_obj_data_link_flag_values,
- "none",
- EXTRACT_16BITS(obj_tptr)>>8)));
-
switch(lmp_obj_ctype) {
case LMP_CTYPE_IPV4:
- case LMP_CTYPE_UNMD:
+ if (obj_tlen < 12) {
+ ND_PRINT((ndo, " (not correct for object)"));
+ break;
+ }
+ ND_PRINT((ndo, "\n\t Flags: [%s]",
+ bittok2str(lmp_obj_data_link_flag_values,
+ "none",
+ EXTRACT_8BITS(obj_tptr))));
ND_PRINT((ndo, "\n\t Local Interface ID: %s (0x%08x)"
"\n\t Remote Interface ID: %s (0x%08x)",
ipaddr_string(ndo, obj_tptr+4),
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
186
187
188
189
190
191
192
193
194
195
EXTRACT_16BITS(obj_tptr)>>8)));
switch(lmp_obj_ctype) {
case LMP_CTYPE_IPV4:
ND_PRINT((ndo, "\n\t Local Link-ID: %s (0x%08x)"
"\n\t Remote Link-ID: %s (0x%08x)",
ipaddr_string(ndo, obj_tptr+4),
EXTRACT_32BITS(obj_tptr+4),
ipaddr_string(ndo, obj_tptr+8),
EXTRACT_32BITS(obj_tptr+8)));
+ show +
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
break;
case LMP_CTYPE_IPV6:
case LMP_CTYPE_UNMD:
default:
hexdump=TRUE;
}
break;
case LMP_OBJ_DATA_LINK:
ND_PRINT((ndo, "\n\t Flags: [%s]",
bittok2str(lmp_obj_data_link_flag_values,
"none",
EXTRACT_16BITS(obj_tptr)>>8)));
switch(lmp_obj_ctype) {
case LMP_CTYPE_IPV4:
case LMP_CTYPE_UNMD:
ND_PRINT((ndo, "\n\t Local Interface ID: %s (0x%08x)"
"\n\t Remote Interface ID: %s (0x%08x)",
ipaddr_string(ndo, obj_tptr+4),
+ show +
217
218
219
220
221
222
223
224
225
226
EXTRACT_32BITS(obj_tptr+4),
ipaddr_string(ndo, obj_tptr+8),
EXTRACT_32BITS(obj_tptr+8)));
total_subobj_len = lmp_obj_len - 16;
offset = 12;
while (total_subobj_len > 0 && hexdump == FALSE ) {
subobj_type = EXTRACT_16BITS(obj_tptr+offset)>>8;
subobj_len = EXTRACT_16BITS(obj_tptr+offset)&0x00FF;
ND_PRINT((ndo, "\n\t Subobject, Type: %s (%u), Length: %u",
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
186
187
188
189
190
191
192
193
194
195
EXTRACT_16BITS(obj_tptr)>>8)));
switch(lmp_obj_ctype) {
case LMP_CTYPE_IPV4:
ND_PRINT((ndo, "\n\t Local Link-ID: %s (0x%08x)"
"\n\t Remote Link-ID: %s (0x%08x)",
ipaddr_string(ndo, obj_tptr+4),
EXTRACT_32BITS(obj_tptr+4),
ipaddr_string(ndo, obj_tptr+8),
EXTRACT_32BITS(obj_tptr+8)));
+ show +
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
break;
case LMP_CTYPE_IPV6:
case LMP_CTYPE_UNMD:
default:
hexdump=TRUE;
}
break;
case LMP_OBJ_DATA_LINK:
ND_PRINT((ndo, "\n\t Flags: [%s]",
bittok2str(lmp_obj_data_link_flag_values,
"none",
EXTRACT_16BITS(obj_tptr)>>8)));
switch(lmp_obj_ctype) {
case LMP_CTYPE_IPV4:
case LMP_CTYPE_UNMD:
ND_PRINT((ndo, "\n\t Local Interface ID: %s (0x%08x)"
"\n\t Remote Interface ID: %s (0x%08x)",
ipaddr_string(ndo, obj_tptr+4),
+ show +
217
218
219
220
221
222
223
224
225
226
EXTRACT_32BITS(obj_tptr+4),
ipaddr_string(ndo, obj_tptr+8),
EXTRACT_32BITS(obj_tptr+8)));
total_subobj_len = lmp_obj_len - 16;
offset = 12;
while (total_subobj_len > 0 && hexdump == FALSE ) {
subobj_type = EXTRACT_16BITS(obj_tptr+offset)>>8;
subobj_len = EXTRACT_16BITS(obj_tptr+offset)&0x00FF;
ND_PRINT((ndo, "\n\t Subobject, Type: %s (%u), Length: %u",
[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #13
ipaddr_string(ndo, obj_tptr+8),
EXTRACT_32BITS(obj_tptr+8)));
- total_subobj_len = lmp_obj_len - 16;
- offset = 12;
- while (total_subobj_len > 0 && hexdump == FALSE ) {
- subobj_type = EXTRACT_16BITS(obj_tptr+offset)>>8;
- subobj_len = EXTRACT_16BITS(obj_tptr+offset)&0x00FF;
- ND_PRINT((ndo, "\n\t Subobject, Type: %s (%u), Length: %u",
- tok2str(lmp_data_link_subobj,
- "Unknown",
- subobj_type),
- subobj_type,
- subobj_len));
- switch(subobj_type) {
- case INT_SWITCHING_TYPE_SUBOBJ:
- ND_PRINT((ndo, "\n\t Switching Type: %s (%u)",
- tok2str(gmpls_switch_cap_values,
- "Unknown",
- EXTRACT_16BITS(obj_tptr+offset+2)>>8),
- EXTRACT_16BITS(obj_tptr+offset+2)>>8));
- ND_PRINT((ndo, "\n\t Encoding Type: %s (%u)",
- tok2str(gmpls_encoding_values,
- "Unknown",
- EXTRACT_16BITS(obj_tptr+offset+2)&0x00FF),
- EXTRACT_16BITS(obj_tptr+offset+2)&0x00FF));
- bw.i = EXTRACT_32BITS(obj_tptr+offset+4);
- ND_PRINT((ndo, "\n\t Min Reservable Bandwidth: %.3f Mbps",
- bw.f*8/1000000));
- bw.i = EXTRACT_32BITS(obj_tptr+offset+8);
- ND_PRINT((ndo, "\n\t Max Reservable Bandwidth: %.3f Mbps",
- bw.f*8/1000000));
- break;
- case WAVELENGTH_SUBOBJ:
- ND_PRINT((ndo, "\n\t Wavelength: %u",
- EXTRACT_32BITS(obj_tptr+offset+4)));
- break;
- default:
- /* Any Unknown Subobject ==> Exit loop */
- hexdump=TRUE;
- break;
- }
- total_subobj_len-=subobj_len;
- offset+=subobj_len;
- }
-
+ if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12))
+ hexdump=TRUE;
break;
+
case LMP_CTYPE_IPV6:
+ if (obj_tlen < 36) {
+ ND_PRINT((ndo, " (not correct for object)"));
+ break;
+ }
+ ND_PRINT((ndo, "\n\t Flags: [%s]",
+ bittok2str(lmp_obj_data_link_flag_values,
+ "none",
+ EXTRACT_8BITS(obj_tptr))));
+ ND_PRINT((ndo, "\n\t Local Interface ID: %s (0x%08x)"
+ "\n\t Remote Interface ID: %s (0x%08x)",
+ ip6addr_string(ndo, obj_tptr+4),
+ EXTRACT_32BITS(obj_tptr+4),
+ ip6addr_string(ndo, obj_tptr+20),
+ EXTRACT_32BITS(obj_tptr+20)));
+
+ if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 36, 36))
+ hexdump=TRUE;
+ break;
+
+ case LMP_CTYPE_UNMD:
+ if (obj_tlen < 12) {
+ ND_PRINT((ndo, " (not correct for object)"));
+ break;
+ }
+ ND_PRINT((ndo, "\n\t Flags: [%s]",
+ bittok2str(lmp_obj_data_link_flag_values,
+ "none",
+ EXTRACT_8BITS(obj_tptr))));
+ ND_PRINT((ndo, "\n\t Local Interface ID: %u (0x%08x)"
+ "\n\t Remote Interface ID: %u (0x%08x)",
+ EXTRACT_32BITS(obj_tptr+4),
+ EXTRACT_32BITS(obj_tptr+4),
+ EXTRACT_32BITS(obj_tptr+8),
+ EXTRACT_32BITS(obj_tptr+8)));
+
+ if (lmp_print_data_link_subobjs(ndo, obj_tptr, obj_tlen - 12, 12))
+ hexdump=TRUE;
+ break;
+
default:
hexdump=TRUE;
}
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
208
209
210
211
212
213
214
215
216
217
"none",
EXTRACT_16BITS(obj_tptr)>>8)));
switch(lmp_obj_ctype) {
case LMP_CTYPE_IPV4:
case LMP_CTYPE_UNMD:
ND_PRINT((ndo, "\n\t Local Interface ID: %s (0x%08x)"
"\n\t Remote Interface ID: %s (0x%08x)",
ipaddr_string(ndo, obj_tptr+4),
EXTRACT_32BITS(obj_tptr+4),
+ show +
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
ipaddr_string(ndo, obj_tptr+8),
EXTRACT_32BITS(obj_tptr+8)));
total_subobj_len = lmp_obj_len - 16;
offset = 12;
while (total_subobj_len > 0 && hexdump == FALSE ) {
subobj_type = EXTRACT_16BITS(obj_tptr+offset)>>8;
subobj_len = EXTRACT_16BITS(obj_tptr+offset)&0x00FF;
ND_PRINT((ndo, "\n\t Subobject, Type: %s (%u), Length: %u",
tok2str(lmp_data_link_subobj,
"Unknown",
subobj_type),
subobj_type,
subobj_len));
switch(subobj_type) {
case INT_SWITCHING_TYPE_SUBOBJ:
ND_PRINT((ndo, "\n\t Switching Type: %s (%u)",
tok2str(gmpls_switch_cap_values,
"Unknown",
EXTRACT_16BITS(obj_tptr+offset+2)>>8),
EXTRACT_16BITS(obj_tptr+offset+2)>>8));
ND_PRINT((ndo, "\n\t Encoding Type: %s (%u)",
tok2str(gmpls_encoding_values,
"Unknown",
EXTRACT_16BITS(obj_tptr+offset+2)&0x00FF),
EXTRACT_16BITS(obj_tptr+offset+2)&0x00FF));
bw.i = EXTRACT_32BITS(obj_tptr+offset+4);
ND_PRINT((ndo, "\n\t Min Reservable Bandwidth: %.3f Mbps",
bw.f*8/1000000));
bw.i = EXTRACT_32BITS(obj_tptr+offset+8);
ND_PRINT((ndo, "\n\t Max Reservable Bandwidth: %.3f Mbps",
bw.f*8/1000000));
break;
case WAVELENGTH_SUBOBJ:
ND_PRINT((ndo, "\n\t Wavelength: %u",
EXTRACT_32BITS(obj_tptr+offset+4)));
break;
default:
/* Any Unknown Subobject ==> Exit loop */
hexdump=TRUE;
break;
}
total_subobj_len-=subobj_len;
offset+=subobj_len;
}
break;
case LMP_CTYPE_IPV6:
default:
hexdump=TRUE;
}
+ show +
269
270
271
272
273
274
275
276
277
278
break;
case LMP_OBJ_VERIFY_BEGIN:
switch(lmp_obj_ctype) {
case LMP_CTYPE_1:
ND_PRINT((ndo, "\n\t Flags: %s",
bittok2str(lmp_obj_begin_verify_flag_values,
"none",
EXTRACT_16BITS(obj_tptr))));
ND_PRINT((ndo, "\n\t Verify Interval: %u",
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
208
209
210
211
212
213
214
215
216
217
"none",
EXTRACT_16BITS(obj_tptr)>>8)));
switch(lmp_obj_ctype) {
case LMP_CTYPE_IPV4:
case LMP_CTYPE_UNMD:
ND_PRINT((ndo, "\n\t Local Interface ID: %s (0x%08x)"
"\n\t Remote Interface ID: %s (0x%08x)",
ipaddr_string(ndo, obj_tptr+4),
EXTRACT_32BITS(obj_tptr+4),
+ show +
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
ipaddr_string(ndo, obj_tptr+8),
EXTRACT_32BITS(obj_tptr+8)));
total_subobj_len = lmp_obj_len - 16;
offset = 12;
while (total_subobj_len > 0 && hexdump == FALSE ) {
subobj_type = EXTRACT_16BITS(obj_tptr+offset)>>8;
subobj_len = EXTRACT_16BITS(obj_tptr+offset)&0x00FF;
ND_PRINT((ndo, "\n\t Subobject, Type: %s (%u), Length: %u",
tok2str(lmp_data_link_subobj,
"Unknown",
subobj_type),
subobj_type,
subobj_len));
switch(subobj_type) {
case INT_SWITCHING_TYPE_SUBOBJ:
ND_PRINT((ndo, "\n\t Switching Type: %s (%u)",
tok2str(gmpls_switch_cap_values,
"Unknown",
EXTRACT_16BITS(obj_tptr+offset+2)>>8),
EXTRACT_16BITS(obj_tptr+offset+2)>>8));
ND_PRINT((ndo, "\n\t Encoding Type: %s (%u)",
tok2str(gmpls_encoding_values,
"Unknown",
EXTRACT_16BITS(obj_tptr+offset+2)&0x00FF),
EXTRACT_16BITS(obj_tptr+offset+2)&0x00FF));
bw.i = EXTRACT_32BITS(obj_tptr+offset+4);
ND_PRINT((ndo, "\n\t Min Reservable Bandwidth: %.3f Mbps",
bw.f*8/1000000));
bw.i = EXTRACT_32BITS(obj_tptr+offset+8);
ND_PRINT((ndo, "\n\t Max Reservable Bandwidth: %.3f Mbps",
bw.f*8/1000000));
break;
case WAVELENGTH_SUBOBJ:
ND_PRINT((ndo, "\n\t Wavelength: %u",
EXTRACT_32BITS(obj_tptr+offset+4)));
break;
default:
/* Any Unknown Subobject ==> Exit loop */
hexdump=TRUE;
break;
}
total_subobj_len-=subobj_len;
offset+=subobj_len;
}
break;
case LMP_CTYPE_IPV6:
default:
hexdump=TRUE;
}
+ show +
269
270
271
272
273
274
275
276
277
278
break;
case LMP_OBJ_VERIFY_BEGIN:
switch(lmp_obj_ctype) {
case LMP_CTYPE_1:
ND_PRINT((ndo, "\n\t Flags: %s",
bittok2str(lmp_obj_begin_verify_flag_values,
"none",
EXTRACT_16BITS(obj_tptr))));
ND_PRINT((ndo, "\n\t Verify Interval: %u",
[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #18
offset+=8;
}
break;
+
case LMP_CTYPE_IPV6:
+ offset = 0;
+ /* Decode pairs: <Interface_ID (16 bytes), Channel_status (4 bytes)> */
+ while (offset+20 <= obj_tlen) {
+ ND_PRINT((ndo, "\n\t Interface ID: %s (0x%08x)",
+ ip6addr_string(ndo, obj_tptr+offset),
+ EXTRACT_32BITS(obj_tptr+offset)));
+
+ ND_PRINT((ndo, "\n\t\t Active: %s (%u)",
+ (EXTRACT_32BITS(obj_tptr+offset+16)>>31) ?
+ "Allocated" : "Non-allocated",
+ (EXTRACT_32BITS(obj_tptr+offset+16)>>31)));
+
+ ND_PRINT((ndo, "\n\t\t Direction: %s (%u)",
+ (EXTRACT_32BITS(obj_tptr+offset+16)>>30)&0x1 ?
+ "Transmit" : "Receive",
+ (EXTRACT_32BITS(obj_tptr+offset+16)>>30)&0x1));
+
+ ND_PRINT((ndo, "\n\t\t Channel Status: %s (%u)",
+ tok2str(lmp_obj_channel_status_values,
+ "Unknown",
+ EXTRACT_32BITS(obj_tptr+offset+16)&0x3FFFFFF),
+ EXTRACT_32BITS(obj_tptr+offset+16)&0x3FFFFFF));
+ offset+=20;
+ }
+ break;
+
+ case LMP_CTYPE_UNMD:
+ offset = 0;
+ /* Decode pairs: <Interface_ID (4 bytes), Channel_status (4 bytes)> */
+ while (offset+8 <= obj_tlen) {
+ ND_PRINT((ndo, "\n\t Interface ID: %u (0x%08x)",
+ EXTRACT_32BITS(obj_tptr+offset),
+ EXTRACT_32BITS(obj_tptr+offset)));
+
+ ND_PRINT((ndo, "\n\t\t Active: %s (%u)",
+ (EXTRACT_32BITS(obj_tptr+offset+4)>>31) ?
+ "Allocated" : "Non-allocated",
+ (EXTRACT_32BITS(obj_tptr+offset+4)>>31)));
+
+ ND_PRINT((ndo, "\n\t\t Direction: %s (%u)",
+ (EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1 ?
+ "Transmit" : "Receive",
+ (EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1));
+
+ ND_PRINT((ndo, "\n\t\t Channel Status: %s (%u)",
+ tok2str(lmp_obj_channel_status_values,
+ "Unknown",
+ EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF),
+ EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF));
+ offset+=8;
+ }
+ break;
+
default:
hexdump=TRUE;
}
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
339
340
341
342
343
344
345
346
347
348
ND_PRINT((ndo, "\n\t\t Direction: %s (%u)", (EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1 ?
"Transmit" : "Receive",
(EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1));
ND_PRINT((ndo, "\n\t\t Channel Status: %s (%u)",
tok2str(lmp_obj_channel_status_values,
"Unknown",
EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF),
EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF));
+ show +
349
350
351
352
353
354
355
offset+=8;
}
break;
case LMP_CTYPE_IPV6:
default:
hexdump=TRUE;
}
+ show +
356
357
358
359
360
361
362
363
364
365
break;
case LMP_OBJ_CHANNEL_STATUS_REQ:
switch(lmp_obj_ctype) {
case LMP_CTYPE_IPV4:
case LMP_CTYPE_UNMD:
offset = 0;
while (offset < (lmp_obj_len-(int)sizeof(struct lmp_object_header)) ) {
ND_PRINT((ndo, "\n\t Interface ID: %s (0x%08x)",
ipaddr_string(ndo, obj_tptr+offset),
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
339
340
341
342
343
344
345
346
347
348
ND_PRINT((ndo, "\n\t\t Direction: %s (%u)", (EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1 ?
"Transmit" : "Receive",
(EXTRACT_32BITS(obj_tptr+offset+4)>>30)&0x1));
ND_PRINT((ndo, "\n\t\t Channel Status: %s (%u)",
tok2str(lmp_obj_channel_status_values,
"Unknown",
EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF),
EXTRACT_32BITS(obj_tptr+offset+4)&0x3FFFFFF));
+ show +
349
350
351
352
353
354
355
offset+=8;
}
break;
case LMP_CTYPE_IPV6:
default:
hexdump=TRUE;
}
+ show +
356
357
358
359
360
361
362
363
364
365
break;
case LMP_OBJ_CHANNEL_STATUS_REQ:
switch(lmp_obj_ctype) {
case LMP_CTYPE_IPV4:
case LMP_CTYPE_UNMD:
offset = 0;
while (offset < (lmp_obj_len-(int)sizeof(struct lmp_object_header)) ) {
ND_PRINT((ndo, "\n\t Interface ID: %s (0x%08x)",
ipaddr_string(ndo, obj_tptr+offset),
[tcpdump_CVE-2017-13003_1487567605_lmp_print.diff] lmp_print_OLD.c #22
case LMP_OBJ_SERVICE_CONFIG:
switch (lmp_obj_ctype) {
case LMP_CTYPE_SERVICE_CONFIG_SP:
-
+ if (obj_tlen != 4) {
+ ND_PRINT((ndo, " (not correct for object)"));
+ break;
+ }
ND_PRINT((ndo, "\n\t Flags: %s",
bittok2str(lmp_obj_service_config_sp_flag_values,
"none",
- EXTRACT_16BITS(obj_tptr)>>8)));
+ EXTRACT_8BITS(obj_tptr))));
ND_PRINT((ndo, "\n\t UNI Version: %u",
- EXTRACT_16BITS(obj_tptr) & 0x00FF));
+ EXTRACT_8BITS(obj_tptr+1)));
break;
case LMP_CTYPE_SERVICE_CONFIG_CPSA:
+ if (obj_tlen != 16) {
+ ND_PRINT((ndo, " (not correct for object)"));
+ break;
+ }
- link_type = EXTRACT_16BITS(obj_tptr)>>8;
+ link_type = EXTRACT_8BITS(obj_tptr);
ND_PRINT((ndo, "\n\t Link Type: %s (%u)",
tok2str(lmp_sd_service_config_cpsa_link_type_values,
"Unknown", link_type),
link_type));
- if (link_type == LMP_SD_SERVICE_CONFIG_CPSA_LINK_TYPE_SDH) {
+ switch (link_type) {
+ case LMP_SD_SERVICE_CONFIG_CPSA_LINK_TYPE_SDH:
ND_PRINT((ndo, "\n\t Signal Type: %s (%u)",
tok2str(lmp_sd_service_config_cpsa_signal_type_sdh_values,
"Unknown",
- EXTRACT_16BITS(obj_tptr) & 0x00FF),
- EXTRACT_16BITS(obj_tptr) & 0x00FF));
- }
+ EXTRACT_8BITS(obj_tptr+1)),
+ EXTRACT_8BITS(obj_tptr+1)));
+ break;
- if (link_type == LMP_SD_SERVICE_CONFIG_CPSA_LINK_TYPE_SONET) {
+ case LMP_SD_SERVICE_CONFIG_CPSA_LINK_TYPE_SONET:
ND_PRINT((ndo, "\n\t Signal Type: %s (%u)",
tok2str(lmp_sd_service_config_cpsa_signal_type_sonet_values,
"Unknown",
- EXTRACT_16BITS(obj_tptr) & 0x00FF),
- EXTRACT_16BITS(obj_tptr) & 0x00FF));
+ EXTRACT_8BITS(obj_tptr+1)),
+ EXTRACT_8BITS(obj_tptr+1)));
+ break;
}
ND_PRINT((ndo, "\n\t Transparency: %s",
bittok2str(lmp_obj_service_config_cpsa_tp_flag_values,
"none",
- EXTRACT_16BITS(obj_tptr+2)>>8)));
+ EXTRACT_8BITS(obj_tptr+2))));
ND_PRINT((ndo, "\n\t Contiguous Concatenation Types: %s",
bittok2str(lmp_obj_service_config_cpsa_cct_flag_values,
"none",
- EXTRACT_16BITS(obj_tptr+2)>>8 & 0x00FF)));
+ EXTRACT_8BITS(obj_tptr+3))));
ND_PRINT((ndo, "\n\t Minimum NCC: %u",
EXTRACT_16BITS(obj_tptr+4)));
.\cloneFuncs\totalClone\Type-1\CVE-2017-13003_before_1mo_1472129825_lmp_print.c
386
387
388
389
390
391
392
393
394
395
ND_PRINT((ndo, "\n\t Error Code: %s",
bittok2str(lmp_obj_link_summary_error_values,
"none",
EXTRACT_32BITS(obj_tptr))));
break;
default:
hexdump=TRUE;
}
break;
+ show +
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
case LMP_OBJ_SERVICE_CONFIG:
switch (lmp_obj_ctype) {
case LMP_CTYPE_SERVICE_CONFIG_SP:
ND_PRINT((ndo, "\n\t Flags: %s",
bittok2str(lmp_obj_service_config_sp_flag_values,
"none",
EXTRACT_16BITS(obj_tptr)>>8)));
ND_PRINT((ndo, "\n\t UNI Version: %u",
EXTRACT_16BITS(obj_tptr) & 0x00FF));
break;
case LMP_CTYPE_SERVICE_CONFIG_CPSA:
link_type = EXTRACT_16BITS(obj_tptr)>>8;
ND_PRINT((ndo, "\n\t Link Type: %s (%u)",
tok2str(lmp_sd_service_config_cpsa_link_type_values,
"Unknown", link_type),
link_type));
if (link_type == LMP_SD_SERVICE_CONFIG_CPSA_LINK_TYPE_SDH) {
ND_PRINT((ndo, "\n\t Signal Type: %s (%u)",
tok2str(lmp_sd_service_config_cpsa_signal_type_sdh_values,
"Unknown",
EXTRACT_16BITS(obj_tptr) & 0x00FF),
EXTRACT_16BITS(obj_tptr) & 0x00FF));
}
if (link_type == LMP_SD_SERVICE_CONFIG_CPSA_LINK_TYPE_SONET) {
ND_PRINT((ndo, "\n\t Signal Type: %s (%u)",
tok2str(lmp_sd_service_config_cpsa_signal_type_sonet_values,
"Unknown",
EXTRACT_16BITS(obj_tptr) & 0x00FF),
EXTRACT_16BITS(obj_tptr) & 0x00FF));
}
ND_PRINT((ndo, "\n\t Transparency: %s",
bittok2str(lmp_obj_service_config_cpsa_tp_flag_values,
"none",
EXTRACT_16BITS(obj_tptr+2)>>8)));
ND_PRINT((ndo, "\n\t Contiguous Concatenation Types: %s",
bittok2str(lmp_obj_service_config_cpsa_cct_flag_values,
"none",
EXTRACT_16BITS(obj_tptr+2)>>8 & 0x00FF)));
ND_PRINT((ndo, "\n\t Minimum NCC: %u",
EXTRACT_16BITS(obj_tptr+4)));
+ show +
447
448
449
450
451
452
453
454
455
456
ND_PRINT((ndo, "\n\t Maximum NCC: %u",
EXTRACT_16BITS(obj_tptr+6)));
ND_PRINT((ndo, "\n\t Minimum NVC:%u",
EXTRACT_16BITS(obj_tptr+8)));
ND_PRINT((ndo, "\n\t Maximum NVC:%u",
EXTRACT_16BITS(obj_tptr+10)));
.\cloneFuncs\totalClone\Type-2\CVE-2017-13003_before_6mo_1471267648_lmp_print.c
386
387
388
389
390
391
392
393
394
395
ND_PRINT((ndo, "\n\t Error Code: %s",
bittok2str(lmp_obj_link_summary_error_values,
"none",
EXTRACT_32BITS(obj_tptr))));
break;
default:
hexdump=TRUE;
}
break;
+ show +
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
case LMP_OBJ_SERVICE_CONFIG:
switch (lmp_obj_ctype) {
case LMP_CTYPE_SERVICE_CONFIG_SP:
ND_PRINT((ndo, "\n\t Flags: %s",
bittok2str(lmp_obj_service_config_sp_flag_values,
"none",
EXTRACT_16BITS(obj_tptr)>>8)));
ND_PRINT((ndo, "\n\t UNI Version: %u",
EXTRACT_16BITS(obj_tptr) & 0x00FF));
break;
case LMP_CTYPE_SERVICE_CONFIG_CPSA:
link_type = EXTRACT_16BITS(obj_tptr)>>8;
ND_PRINT((ndo, "\n\t Link Type: %s (%u)",
tok2str(lmp_sd_service_config_cpsa_link_type_values,
"Unknown", link_type),
link_type));
if (link_type == LMP_SD_SERVICE_CONFIG_CPSA_LINK_TYPE_SDH) {
ND_PRINT((ndo, "\n\t Signal Type: %s (%u)",
tok2str(lmp_sd_service_config_cpsa_signal_type_sdh_values,
"Unknown",
EXTRACT_16BITS(obj_tptr) & 0x00FF),
EXTRACT_16BITS(obj_tptr) & 0x00FF));
}
if (link_type == LMP_SD_SERVICE_CONFIG_CPSA_LINK_TYPE_SONET) {
ND_PRINT((ndo, "\n\t Signal Type: %s (%u)",
tok2str(lmp_sd_service_config_cpsa_signal_type_sonet_values,
"Unknown",
EXTRACT_16BITS(obj_tptr) & 0x00FF),
EXTRACT_16BITS(obj_tptr) & 0x00FF));
}
ND_PRINT((ndo, "\n\t Transparency: %s",
bittok2str(lmp_obj_service_config_cpsa_tp_flag_values,
"none",
EXTRACT_16BITS(obj_tptr+2)>>8)));
ND_PRINT((ndo, "\n\t Contiguous Concatenation Types: %s",
bittok2str(lmp_obj_service_config_cpsa_cct_flag_values,
"none",
EXTRACT_16BITS(obj_tptr+2)>>8 & 0x00FF)));
ND_PRINT((ndo, "\n\t Minimum NCC: %u",
EXTRACT_16BITS(obj_tptr+4)));
+ show +
447
448
449
450
451
452
453
454
455
456
ND_PRINT((ndo, "\n\t Maximum NCC: %u",
EXTRACT_16BITS(obj_tptr+6)));
ND_PRINT((ndo, "\n\t Minimum NVC:%u",
EXTRACT_16BITS(obj_tptr+8)));
ND_PRINT((ndo, "\n\t Maximum NVC:%u",
EXTRACT_16BITS(obj_tptr+10)));
[tcpdump_CVE-2017-13019_1490158185_pgm_print.diff] pgm_print_OLD.c #1
switch (opt_type & PGM_OPT_MASK) {
case PGM_OPT_LENGTH:
- if (opt_len != 4) {
- ND_PRINT((ndo, "[Bad OPT_LENGTH option, length %u != 4]", opt_len));
+#define PGM_OPT_LENGTH_LEN (2+2)
+ if (opt_len != PGM_OPT_LENGTH_LEN) {
+ ND_PRINT((ndo, "[Bad OPT_LENGTH option, length %u != %u]",
+ opt_len, PGM_OPT_LENGTH_LEN));
return;
}
ND_PRINT((ndo, " OPTS LEN (extra?) %d", EXTRACT_16BITS(bp)));
- bp += sizeof(uint16_t);
- opts_len -= 4;
+ bp += 2;
+ opts_len -= PGM_OPT_LENGTH_LEN;
break;
case PGM_OPT_FRAGMENT:
- if (opt_len != 16) {
- ND_PRINT((ndo, "[Bad OPT_FRAGMENT option, length %u != 16]", opt_len));
+#define PGM_OPT_FRAGMENT_LEN (2+2+4+4+4)
+ if (opt_len != PGM_OPT_FRAGMENT_LEN) {
+ ND_PRINT((ndo, "[Bad OPT_FRAGMENT option, length %u != %u]",
+ opt_len, PGM_OPT_FRAGMENT_LEN));
return;
}
bp += 2;
seq = EXTRACT_32BITS(bp);
- bp += sizeof(uint32_t);
+ bp += 4;
offset = EXTRACT_32BITS(bp);
- bp += sizeof(uint32_t);
+ bp += 4;
len = EXTRACT_32BITS(bp);
- bp += sizeof(uint32_t);
+ bp += 4;
ND_PRINT((ndo, " FRAG seq %u off %u len %u", seq, offset, len));
- opts_len -= 16;
+ opts_len -= PGM_OPT_FRAGMENT_LEN;
break;
case PGM_OPT_NAK_LIST:
bp += 2;
- opt_len -= sizeof(uint32_t); /* option header */
+ opt_len -= 4; /* option header */
ND_PRINT((ndo, " NAK LIST"));
while (opt_len) {
- if (opt_len < sizeof(uint32_t)) {
+ if (opt_len < 4) {
ND_PRINT((ndo, "[Option length not a multiple of 4]"));
return;
}
- ND_TCHECK2(*bp, sizeof(uint32_t));
+ ND_TCHECK2(*bp, 4);
ND_PRINT((ndo, " %u", EXTRACT_32BITS(bp)));
- bp += sizeof(uint32_t);
- opt_len -= sizeof(uint32_t);
- opts_len -= sizeof(uint32_t);
+ bp += 4;
+ opt_len -= 4;
+ opts_len -= 4;
}
break;
case PGM_OPT_JOIN:
- if (opt_len != 8) {
- ND_PRINT((ndo, "[Bad OPT_JOIN option, length %u != 8]", opt_len));
+#define PGM_OPT_JOIN_LEN (2+2+4)
+ if (opt_len != PGM_OPT_JOIN_LEN) {
+ ND_PRINT((ndo, "[Bad OPT_JOIN option, length %u != %u]",
+ opt_len, PGM_OPT_JOIN_LEN));
return;
}
bp += 2;
seq = EXTRACT_32BITS(bp);
- bp += sizeof(uint32_t);
+ bp += 4;
ND_PRINT((ndo, " JOIN %u", seq));
- opts_len -= 8;
+ opts_len -= PGM_OPT_JOIN_LEN;
break;
case PGM_OPT_NAK_BO_IVL:
- if (opt_len != 12) {
- ND_PRINT((ndo, "[Bad OPT_NAK_BO_IVL option, length %u != 12]", opt_len));
+#define PGM_OPT_NAK_BO_IVL_LEN (2+2+4+4)
+ if (opt_len != PGM_OPT_NAK_BO_IVL_LEN) {
+ ND_PRINT((ndo, "[Bad OPT_NAK_BO_IVL option, length %u != %u]",
+ opt_len, PGM_OPT_NAK_BO_IVL_LEN));
return;
}
bp += 2;
offset = EXTRACT_32BITS(bp);
- bp += sizeof(uint32_t);
+ bp += 4;
seq = EXTRACT_32BITS(bp);
- bp += sizeof(uint32_t);
+ bp += 4;
ND_PRINT((ndo, " BACKOFF ivl %u ivlseq %u", offset, seq));
- opts_len -= 12;
+ opts_len -= PGM_OPT_NAK_BO_IVL_LEN;
break;
case PGM_OPT_NAK_BO_RNG:
- if (opt_len != 12) {
- ND_PRINT((ndo, "[Bad OPT_NAK_BO_RNG option, length %u != 12]", opt_len));
+#define PGM_OPT_NAK_BO_RNG_LEN (2+2+4+4)
+ if (opt_len != PGM_OPT_NAK_BO_RNG_LEN) {
+ ND_PRINT((ndo, "[Bad OPT_NAK_BO_RNG option, length %u != %u]",
+ opt_len, PGM_OPT_NAK_BO_RNG_LEN));
return;
}
bp += 2;
offset = EXTRACT_32BITS(bp);
- bp += sizeof(uint32_t);
+ bp += 4;
seq = EXTRACT_32BITS(bp);
- bp += sizeof(uint32_t);
+ bp += 4;
ND_PRINT((ndo, " BACKOFF max %u min %u", offset, seq));
- opts_len -= 12;
+ opts_len -= PGM_OPT_NAK_BO_RNG_LEN;
break;
case PGM_OPT_REDIRECT:
+#define PGM_OPT_REDIRECT_FIXED_LEN (2+2+2+2)
+ if (opt_len < PGM_OPT_REDIRECT_FIXED_LEN) {
+ ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u < %u]",
+ opt_len, PGM_OPT_REDIRECT_FIXED_LEN));
+ return;
+ }
bp += 2;
nla_afnum = EXTRACT_16BITS(bp);
- bp += (2 * sizeof(uint16_t));
+ bp += 2+2;
switch (nla_afnum) {
case AFNUM_INET:
- if (opt_len != 4 + sizeof(struct in_addr)) {
- ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != 4 + address size]", opt_len));
+ if (opt_len != PGM_OPT_REDIRECT_FIXED_LEN + sizeof(struct in_addr)) {
+ ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != %u + address size]",
+ opt_len, PGM_OPT_REDIRECT_FIXED_LEN));
return;
}
ND_TCHECK2(*bp, sizeof(struct in_addr));
addrtostr(bp, nla_buf, sizeof(nla_buf));
bp += sizeof(struct in_addr);
- opts_len -= 4 + sizeof(struct in_addr);
+ opts_len -= PGM_OPT_REDIRECT_FIXED_LEN + sizeof(struct in_addr);
break;
case AFNUM_INET6:
- if (opt_len != 4 + sizeof(struct in6_addr)) {
- ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != 4 + address size]", opt_len));
+ if (opt_len != PGM_OPT_REDIRECT_FIXED_LEN + sizeof(struct in6_addr)) {
+ ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != %u + address size]",
+ PGM_OPT_REDIRECT_FIXED_LEN, opt_len));
return;
}
ND_TCHECK2(*bp, sizeof(struct in6_addr));
addrtostr6(bp, nla_buf, sizeof(nla_buf));
bp += sizeof(struct in6_addr);
- opts_len -= 4 + sizeof(struct in6_addr);
+ opts_len -= PGM_OPT_REDIRECT_FIXED_LEN + sizeof(struct in6_addr);
break;
default:
goto trunc;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13018_before_1mo_1442527004_pgm_print.c
322
323
324
325
326
327
328
329
330
331
}
if (opts_len < opt_len) {
ND_PRINT((ndo, "[Total option length leaves no room for final option]"));
return;
}
if (!ND_TTEST2(*bp, opt_len - 2)) {
ND_PRINT((ndo, " [|OPT]"));
return;
}
+ show +
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
switch (opt_type & PGM_OPT_MASK) {
case PGM_OPT_LENGTH:
if (opt_len != 4) {
ND_PRINT((ndo, "[Bad OPT_LENGTH option, length %u != 4]", opt_len));
return;
}
ND_PRINT((ndo, " OPTS LEN (extra?) %d", EXTRACT_16BITS(bp)));
bp += sizeof(uint16_t);
opts_len -= 4;
break;
case PGM_OPT_FRAGMENT:
if (opt_len != 16) {
ND_PRINT((ndo, "[Bad OPT_FRAGMENT option, length %u != 16]", opt_len));
return;
}
bp += 2;
seq = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
offset = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
len = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
ND_PRINT((ndo, " FRAG seq %u off %u len %u", seq, offset, len));
opts_len -= 16;
break;
case PGM_OPT_NAK_LIST:
bp += 2;
opt_len -= sizeof(uint32_t); /* option header */
ND_PRINT((ndo, " NAK LIST"));
while (opt_len) {
if (opt_len < sizeof(uint32_t)) {
ND_PRINT((ndo, "[Option length not a multiple of 4]"));
return;
}
ND_TCHECK2(*bp, sizeof(uint32_t));
ND_PRINT((ndo, " %u", EXTRACT_32BITS(bp)));
bp += sizeof(uint32_t);
opt_len -= sizeof(uint32_t);
opts_len -= sizeof(uint32_t);
}
break;
case PGM_OPT_JOIN:
if (opt_len != 8) {
ND_PRINT((ndo, "[Bad OPT_JOIN option, length %u != 8]", opt_len));
return;
}
bp += 2;
seq = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
ND_PRINT((ndo, " JOIN %u", seq));
opts_len -= 8;
break;
case PGM_OPT_NAK_BO_IVL:
if (opt_len != 12) {
ND_PRINT((ndo, "[Bad OPT_NAK_BO_IVL option, length %u != 12]", opt_len));
return;
}
bp += 2;
offset = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
seq = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
ND_PRINT((ndo, " BACKOFF ivl %u ivlseq %u", offset, seq));
opts_len -= 12;
break;
case PGM_OPT_NAK_BO_RNG:
if (opt_len != 12) {
ND_PRINT((ndo, "[Bad OPT_NAK_BO_RNG option, length %u != 12]", opt_len));
return;
}
bp += 2;
offset = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
seq = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
ND_PRINT((ndo, " BACKOFF max %u min %u", offset, seq));
opts_len -= 12;
break;
case PGM_OPT_REDIRECT:
bp += 2;
nla_afnum = EXTRACT_16BITS(bp);
bp += (2 * sizeof(uint16_t));
switch (nla_afnum) {
case AFNUM_INET:
if (opt_len != 4 + sizeof(struct in_addr)) {
ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != 4 + address size]", opt_len));
return;
}
ND_TCHECK2(*bp, sizeof(struct in_addr));
addrtostr(bp, nla_buf, sizeof(nla_buf));
bp += sizeof(struct in_addr);
opts_len -= 4 + sizeof(struct in_addr);
break;
case AFNUM_INET6:
if (opt_len != 4 + sizeof(struct in6_addr)) {
ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != 4 + address size]", opt_len));
return;
}
ND_TCHECK2(*bp, sizeof(struct in6_addr));
addrtostr6(bp, nla_buf, sizeof(nla_buf));
bp += sizeof(struct in6_addr);
opts_len -= 4 + sizeof(struct in6_addr);
break;
default:
goto trunc;
+ show +
443
444
445
446
447
448
449
450
451
452
break;
}
ND_PRINT((ndo, " REDIRECT %s", nla_buf));
break;
case PGM_OPT_PARITY_PRM:
if (opt_len != 8) {
ND_PRINT((ndo, "[Bad OPT_PARITY_PRM option, length %u != 8]", opt_len));
return;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13019_before_imd_1490150968_pgm_print.c
326
327
328
329
330
331
332
333
334
335
}
if (opts_len < opt_len) {
ND_PRINT((ndo, "[Total option length leaves no room for final option]"));
return;
}
if (!ND_TTEST2(*bp, opt_len - 2)) {
ND_PRINT((ndo, " [|OPT]"));
return;
}
+ show +
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
switch (opt_type & PGM_OPT_MASK) {
case PGM_OPT_LENGTH:
if (opt_len != 4) {
ND_PRINT((ndo, "[Bad OPT_LENGTH option, length %u != 4]", opt_len));
return;
}
ND_PRINT((ndo, " OPTS LEN (extra?) %d", EXTRACT_16BITS(bp)));
bp += sizeof(uint16_t);
opts_len -= 4;
break;
case PGM_OPT_FRAGMENT:
if (opt_len != 16) {
ND_PRINT((ndo, "[Bad OPT_FRAGMENT option, length %u != 16]", opt_len));
return;
}
bp += 2;
seq = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
offset = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
len = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
ND_PRINT((ndo, " FRAG seq %u off %u len %u", seq, offset, len));
opts_len -= 16;
break;
case PGM_OPT_NAK_LIST:
bp += 2;
opt_len -= sizeof(uint32_t); /* option header */
ND_PRINT((ndo, " NAK LIST"));
while (opt_len) {
if (opt_len < sizeof(uint32_t)) {
ND_PRINT((ndo, "[Option length not a multiple of 4]"));
return;
}
ND_TCHECK2(*bp, sizeof(uint32_t));
ND_PRINT((ndo, " %u", EXTRACT_32BITS(bp)));
bp += sizeof(uint32_t);
opt_len -= sizeof(uint32_t);
opts_len -= sizeof(uint32_t);
}
break;
case PGM_OPT_JOIN:
if (opt_len != 8) {
ND_PRINT((ndo, "[Bad OPT_JOIN option, length %u != 8]", opt_len));
return;
}
bp += 2;
seq = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
ND_PRINT((ndo, " JOIN %u", seq));
opts_len -= 8;
break;
case PGM_OPT_NAK_BO_IVL:
if (opt_len != 12) {
ND_PRINT((ndo, "[Bad OPT_NAK_BO_IVL option, length %u != 12]", opt_len));
return;
}
bp += 2;
offset = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
seq = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
ND_PRINT((ndo, " BACKOFF ivl %u ivlseq %u", offset, seq));
opts_len -= 12;
break;
case PGM_OPT_NAK_BO_RNG:
if (opt_len != 12) {
ND_PRINT((ndo, "[Bad OPT_NAK_BO_RNG option, length %u != 12]", opt_len));
return;
}
bp += 2;
offset = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
seq = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
ND_PRINT((ndo, " BACKOFF max %u min %u", offset, seq));
opts_len -= 12;
break;
case PGM_OPT_REDIRECT:
bp += 2;
nla_afnum = EXTRACT_16BITS(bp);
bp += (2 * sizeof(uint16_t));
switch (nla_afnum) {
case AFNUM_INET:
if (opt_len != 4 + sizeof(struct in_addr)) {
ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != 4 + address size]", opt_len));
return;
}
ND_TCHECK2(*bp, sizeof(struct in_addr));
addrtostr(bp, nla_buf, sizeof(nla_buf));
bp += sizeof(struct in_addr);
opts_len -= 4 + sizeof(struct in_addr);
break;
case AFNUM_INET6:
if (opt_len != 4 + sizeof(struct in6_addr)) {
ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != 4 + address size]", opt_len));
return;
}
ND_TCHECK2(*bp, sizeof(struct in6_addr));
addrtostr6(bp, nla_buf, sizeof(nla_buf));
bp += sizeof(struct in6_addr);
opts_len -= 4 + sizeof(struct in6_addr);
break;
default:
goto trunc;
+ show +
447
448
449
450
451
452
453
454
455
456
break;
}
ND_PRINT((ndo, " REDIRECT %s", nla_buf));
break;
case PGM_OPT_PARITY_PRM:
if (opt_len != 8) {
ND_PRINT((ndo, "[Bad OPT_PARITY_PRM option, length %u != 8]", opt_len));
return;
[tcpdump_CVE-2017-13019_1490158185_pgm_print.diff] pgm_print_OLD.c #2
break;
case PGM_OPT_PARITY_PRM:
- if (opt_len != 8) {
- ND_PRINT((ndo, "[Bad OPT_PARITY_PRM option, length %u != 8]", opt_len));
+#define PGM_OPT_PARITY_PRM_LEN (2+2+4)
+ if (opt_len != PGM_OPT_PARITY_PRM_LEN) {
+ ND_PRINT((ndo, "[Bad OPT_PARITY_PRM option, length %u != %u]",
+ opt_len, PGM_OPT_PARITY_PRM_LEN));
return;
}
bp += 2;
len = EXTRACT_32BITS(bp);
- bp += sizeof(uint32_t);
+ bp += 4;
ND_PRINT((ndo, " PARITY MAXTGS %u", len));
- opts_len -= 8;
+ opts_len -= PGM_OPT_PARITY_PRM_LEN;
break;
case PGM_OPT_PARITY_GRP:
- if (opt_len != 8) {
- ND_PRINT((ndo, "[Bad OPT_PARITY_GRP option, length %u != 8]", opt_len));
+#define PGM_OPT_PARITY_GRP_LEN (2+2+4)
+ if (opt_len != PGM_OPT_PARITY_GRP_LEN) {
+ ND_PRINT((ndo, "[Bad OPT_PARITY_GRP option, length %u != %u]",
+ opt_len, PGM_OPT_PARITY_GRP_LEN));
return;
}
bp += 2;
seq = EXTRACT_32BITS(bp);
- bp += sizeof(uint32_t);
+ bp += 4;
ND_PRINT((ndo, " PARITY GROUP %u", seq));
- opts_len -= 8;
+ opts_len -= PGM_OPT_PARITY_GRP_LEN;
break;
case PGM_OPT_CURR_TGSIZE:
- if (opt_len != 8) {
- ND_PRINT((ndo, "[Bad OPT_CURR_TGSIZE option, length %u != 8]", opt_len));
+#define PGM_OPT_CURR_TGSIZE_LEN (2+2+4)
+ if (opt_len != PGM_OPT_CURR_TGSIZE_LEN) {
+ ND_PRINT((ndo, "[Bad OPT_CURR_TGSIZE option, length %u != %u]",
+ opt_len, PGM_OPT_CURR_TGSIZE_LEN));
return;
}
bp += 2;
len = EXTRACT_32BITS(bp);
- bp += sizeof(uint32_t);
+ bp += 4;
ND_PRINT((ndo, " PARITY ATGS %u", len));
- opts_len -= 8;
+ opts_len -= PGM_OPT_CURR_TGSIZE_LEN;
break;
case PGM_OPT_NBR_UNREACH:
- if (opt_len != 4) {
- ND_PRINT((ndo, "[Bad OPT_NBR_UNREACH option, length %u != 4]", opt_len));
+#define PGM_OPT_NBR_UNREACH_LEN (2+2)
+ if (opt_len != PGM_OPT_NBR_UNREACH_LEN) {
+ ND_PRINT((ndo, "[Bad OPT_NBR_UNREACH option, length %u != %u]",
+ opt_len, PGM_OPT_NBR_UNREACH_LEN));
return;
}
bp += 2;
ND_PRINT((ndo, " NBR_UNREACH"));
- opts_len -= 4;
+ opts_len -= PGM_OPT_NBR_UNREACH_LEN;
break;
case PGM_OPT_PATH_NLA:
.\cloneFuncs\totalClone\Type-1\CVE-2017-13018_before_1mo_1442527004_pgm_print.c
437
438
439
440
441
442
443
444
445
446
addrtostr6(bp, nla_buf, sizeof(nla_buf));
bp += sizeof(struct in6_addr);
opts_len -= 4 + sizeof(struct in6_addr);
break;
default:
goto trunc;
break;
}
ND_PRINT((ndo, " REDIRECT %s", nla_buf));
+ show +
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
break;
case PGM_OPT_PARITY_PRM:
if (opt_len != 8) {
ND_PRINT((ndo, "[Bad OPT_PARITY_PRM option, length %u != 8]", opt_len));
return;
}
bp += 2;
len = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
ND_PRINT((ndo, " PARITY MAXTGS %u", len));
opts_len -= 8;
break;
case PGM_OPT_PARITY_GRP:
if (opt_len != 8) {
ND_PRINT((ndo, "[Bad OPT_PARITY_GRP option, length %u != 8]", opt_len));
return;
}
bp += 2;
seq = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
ND_PRINT((ndo, " PARITY GROUP %u", seq));
opts_len -= 8;
break;
case PGM_OPT_CURR_TGSIZE:
if (opt_len != 8) {
ND_PRINT((ndo, "[Bad OPT_CURR_TGSIZE option, length %u != 8]", opt_len));
return;
}
bp += 2;
len = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
ND_PRINT((ndo, " PARITY ATGS %u", len));
opts_len -= 8;
break;
case PGM_OPT_NBR_UNREACH:
if (opt_len != 4) {
ND_PRINT((ndo, "[Bad OPT_NBR_UNREACH option, length %u != 4]", opt_len));
return;
}
bp += 2;
ND_PRINT((ndo, " NBR_UNREACH"));
opts_len -= 4;
break;
case PGM_OPT_PATH_NLA:
+ show +
496
497
498
499
500
501
502
503
504
505
ND_PRINT((ndo, " PATH_NLA [%d]", opt_len));
bp += opt_len;
opts_len -= opt_len;
break;
case PGM_OPT_SYN:
if (opt_len != 4) {
ND_PRINT((ndo, "[Bad OPT_SYN option, length %u != 4]", opt_len));
return;
}
.\cloneFuncs\totalClone\Type-1\CVE-2017-13019_before_imd_1490150968_pgm_print.c
441
442
443
444
445
446
447
448
449
450
addrtostr6(bp, nla_buf, sizeof(nla_buf));
bp += sizeof(struct in6_addr);
opts_len -= 4 + sizeof(struct in6_addr);
break;
default:
goto trunc;
break;
}
ND_PRINT((ndo, " REDIRECT %s", nla_buf));
+ show +
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
break;
case PGM_OPT_PARITY_PRM:
if (opt_len != 8) {
ND_PRINT((ndo, "[Bad OPT_PARITY_PRM option, length %u != 8]", opt_len));
return;
}
bp += 2;
len = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
ND_PRINT((ndo, " PARITY MAXTGS %u", len));
opts_len -= 8;
break;
case PGM_OPT_PARITY_GRP:
if (opt_len != 8) {
ND_PRINT((ndo, "[Bad OPT_PARITY_GRP option, length %u != 8]", opt_len));
return;
}
bp += 2;
seq = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
ND_PRINT((ndo, " PARITY GROUP %u", seq));
opts_len -= 8;
break;
case PGM_OPT_CURR_TGSIZE:
if (opt_len != 8) {
ND_PRINT((ndo, "[Bad OPT_CURR_TGSIZE option, length %u != 8]", opt_len));
return;
}
bp += 2;
len = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
ND_PRINT((ndo, " PARITY ATGS %u", len));
opts_len -= 8;
break;
case PGM_OPT_NBR_UNREACH:
if (opt_len != 4) {
ND_PRINT((ndo, "[Bad OPT_NBR_UNREACH option, length %u != 4]", opt_len));
return;
}
bp += 2;
ND_PRINT((ndo, " NBR_UNREACH"));
opts_len -= 4;
break;
case PGM_OPT_PATH_NLA:
+ show +
500
501
502
503
504
505
506
507
508
509
ND_PRINT((ndo, " PATH_NLA [%d]", opt_len));
bp += opt_len;
opts_len -= opt_len;
break;
case PGM_OPT_SYN:
if (opt_len != 4) {
ND_PRINT((ndo, "[Bad OPT_SYN option, length %u != 4]", opt_len));
return;
}
.\cloneFuncs\totalClone\Type-3\CVE-2017-13018_before_6mo_1442517562_pgm_print.c
477
478
479
480
481
482
483
484
485
486
ND_PRINT((ndo, "[Bad OPT_REDIRECT option, length %u != 4 + address size]", opt_len));
return;
}
ND_TCHECK2(*bp, addr_size);
nla = bp;
bp += addr_size;
inet_ntop(nla_af, nla, nla_buf, sizeof(nla_buf));
ND_PRINT((ndo, " REDIRECT %s", nla_buf));
opts_len -= 4 + addr_size;
+ show +
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
break;
case PGM_OPT_PARITY_PRM:
if (opt_len != 8) {
ND_PRINT((ndo, "[Bad OPT_PARITY_PRM option, length %u != 8]", opt_len));
return;
}
bp += 2;
len = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
ND_PRINT((ndo, " PARITY MAXTGS %u", len));
opts_len -= 8;
break;
case PGM_OPT_PARITY_GRP:
if (opt_len != 8) {
ND_PRINT((ndo, "[Bad OPT_PARITY_GRP option, length %u != 8]", opt_len));
return;
}
bp += 2;
seq = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
ND_PRINT((ndo, " PARITY GROUP %u", seq));
opts_len -= 8;
break;
case PGM_OPT_CURR_TGSIZE:
if (opt_len != 8) {
ND_PRINT((ndo, "[Bad OPT_CURR_TGSIZE option, length %u != 8]", opt_len));
return;
}
bp += 2;
len = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
ND_PRINT((ndo, " PARITY ATGS %u", len));
opts_len -= 8;
break;
case PGM_OPT_NBR_UNREACH:
if (opt_len != 4) {
ND_PRINT((ndo, "[Bad OPT_NBR_UNREACH option, length %u != 4]", opt_len));
return;
}
bp += 2;
ND_PRINT((ndo, " NBR_UNREACH"));
opts_len -= 4;
break;
case PGM_OPT_PATH_NLA:
+ show +
536
537
538
539
540
541
542
543
544
545
ND_PRINT((ndo, " PATH_NLA [%d]", opt_len));
bp += opt_len;
opts_len -= opt_len;
break;
case PGM_OPT_SYN:
if (opt_len != 4) {
ND_PRINT((ndo, "[Bad OPT_SYN option, length %u != 4]", opt_len));
return;
}
[tcpdump_CVE-2017-13019_1490158185_pgm_print.diff] pgm_print_OLD.c #4
break;
case PGM_OPT_CRQST:
- if (opt_len != 4) {
- ND_PRINT((ndo, "[Bad OPT_CRQST option, length %u != 4]", opt_len));
+#define PGM_OPT_CRQST_LEN (2+2)
+ if (opt_len != PGM_OPT_CRQST_LEN) {
+ ND_PRINT((ndo, "[Bad OPT_CRQST option, length %u != %u]",
+ opt_len, PGM_OPT_CRQST_LEN));
return;
}
bp += 2;
ND_PRINT((ndo, " CRQST"));
- opts_len -= 4;
+ opts_len -= PGM_OPT_CRQST_LEN;
break;
case PGM_OPT_PGMCC_DATA:
+#define PGM_OPT_PGMCC_DATA_FIXED_LEN (2+2+4+2+2)
+ if (opt_len < PGM_OPT_PGMCC_DATA_FIXED_LEN) {
+ ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u < %u]",
+ opt_len, PGM_OPT_PGMCC_DATA_FIXED_LEN));
+ return;
+ }
bp += 2;
offset = EXTRACT_32BITS(bp);
- bp += sizeof(uint32_t);
+ bp += 4;
nla_afnum = EXTRACT_16BITS(bp);
- bp += (2 * sizeof(uint16_t));
+ bp += 2+2;
switch (nla_afnum) {
case AFNUM_INET:
- if (opt_len != 12 + sizeof(struct in_addr)) {
- ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len));
+ if (opt_len != PGM_OPT_PGMCC_DATA_FIXED_LEN + sizeof(struct in_addr)) {
+ ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != %u + address size]",
+ opt_len, PGM_OPT_PGMCC_DATA_FIXED_LEN));
return;
}
ND_TCHECK2(*bp, sizeof(struct in_addr));
addrtostr(bp, nla_buf, sizeof(nla_buf));
bp += sizeof(struct in_addr);
- opts_len -= 12 + sizeof(struct in_addr);
+ opts_len -= PGM_OPT_PGMCC_DATA_FIXED_LEN + sizeof(struct in_addr);
break;
case AFNUM_INET6:
- if (opt_len != 12 + sizeof(struct in6_addr)) {
- ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len));
+ if (opt_len != PGM_OPT_PGMCC_DATA_FIXED_LEN + sizeof(struct in6_addr)) {
+ ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != %u + address size]",
+ opt_len, PGM_OPT_PGMCC_DATA_FIXED_LEN));
return;
}
ND_TCHECK2(*bp, sizeof(struct in6_addr));
addrtostr6(bp, nla_buf, sizeof(nla_buf));
bp += sizeof(struct in6_addr);
- opts_len -= 12 + sizeof(struct in6_addr);
+ opts_len -= PGM_OPT_PGMCC_DATA_FIXED_LEN + sizeof(struct in6_addr);
break;
default:
goto trunc;
.\cloneFuncs\totalClone\Type-1\CVE-2017-13018_before_1mo_1442527004_pgm_print.c
525
526
527
528
529
530
531
532
533
534
}
bp += 2;
ND_PRINT((ndo, " RST"));
opts_len -= 4;
break;
case PGM_OPT_CR:
ND_PRINT((ndo, " CR"));
bp += opt_len;
opts_len -= opt_len;
+ show +
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
break;
case PGM_OPT_CRQST:
if (opt_len != 4) {
ND_PRINT((ndo, "[Bad OPT_CRQST option, length %u != 4]", opt_len));
return;
}
bp += 2;
ND_PRINT((ndo, " CRQST"));
opts_len -= 4;
break;
case PGM_OPT_PGMCC_DATA:
bp += 2;
offset = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
nla_afnum = EXTRACT_16BITS(bp);
bp += (2 * sizeof(uint16_t));
switch (nla_afnum) {
case AFNUM_INET:
if (opt_len != 12 + sizeof(struct in_addr)) {
ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len));
return;
}
ND_TCHECK2(*bp, sizeof(struct in_addr));
addrtostr(bp, nla_buf, sizeof(nla_buf));
bp += sizeof(struct in_addr);
opts_len -= 12 + sizeof(struct in_addr);
break;
case AFNUM_INET6:
if (opt_len != 12 + sizeof(struct in6_addr)) {
ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len));
return;
}
ND_TCHECK2(*bp, sizeof(struct in6_addr));
addrtostr6(bp, nla_buf, sizeof(nla_buf));
bp += sizeof(struct in6_addr);
opts_len -= 12 + sizeof(struct in6_addr);
break;
default:
goto trunc;
+ show +
576
577
578
579
580
581
582
583
584
585
break;
}
ND_PRINT((ndo, " PGMCC DATA %u %s", offset, nla_buf));
break;
case PGM_OPT_PGMCC_FEEDBACK:
bp += 2;
offset = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
.\cloneFuncs\totalClone\Type-1\CVE-2017-13019_before_imd_1490150968_pgm_print.c
529
530
531
532
533
534
535
536
537
538
}
bp += 2;
ND_PRINT((ndo, " RST"));
opts_len -= 4;
break;
case PGM_OPT_CR:
ND_PRINT((ndo, " CR"));
bp += opt_len;
opts_len -= opt_len;
+ show +
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
break;
case PGM_OPT_CRQST:
if (opt_len != 4) {
ND_PRINT((ndo, "[Bad OPT_CRQST option, length %u != 4]", opt_len));
return;
}
bp += 2;
ND_PRINT((ndo, " CRQST"));
opts_len -= 4;
break;
case PGM_OPT_PGMCC_DATA:
bp += 2;
offset = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);
nla_afnum = EXTRACT_16BITS(bp);
bp += (2 * sizeof(uint16_t));
switch (nla_afnum) {
case AFNUM_INET:
if (opt_len != 12 + sizeof(struct in_addr)) {
ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len));
return;
}
ND_TCHECK2(*bp, sizeof(struct in_addr));
addrtostr(bp, nla_buf, sizeof(nla_buf));
bp += sizeof(struct in_addr);
opts_len -= 12 + sizeof(struct in_addr);
break;
case AFNUM_INET6:
if (opt_len != 12 + sizeof(struct in6_addr)) {
ND_PRINT((ndo, "[Bad OPT_PGMCC_DATA option, length %u != 12 + address size]", opt_len));
return;
}
ND_TCHECK2(*bp, sizeof(struct in6_addr));
addrtostr6(bp, nla_buf, sizeof(nla_buf));
bp += sizeof(struct in6_addr);
opts_len -= 12 + sizeof(struct in6_addr);
break;
default:
goto trunc;
+ show +
580
581
582
583
584
585
586
587
588
589
break;
}
ND_PRINT((ndo, " PGMCC DATA %u %s", offset, nla_buf));
break;
case PGM_OPT_PGMCC_FEEDBACK:
bp += 2;
offset = EXTRACT_32BITS(bp);
bp += sizeof(uint32_t);